Even as Microsoft is proclaiming victory in its efforts to thwart the Windows ‘Blaster’ virus, security firms are warning that several copycat worms are making the rounds, including one that installs itself on vulnerable systems and deletes the Msblast.exe worm.
According to Symantec Security Response, the new W32.Welchia.Worm
exploits the DCOM RPC
vulnerability and looks for the existence of the Msblast.exe file
dropped by the W32.Blaster.Worm. The ‘fixer’ worm then deletes blaster from
an affected system.
Oliver Friedrichs, senior manager as Symantec, told
internetnews.com the Welchia variant also attempts to download the
DCOM RPC vulnerability patch from Microsoft’s update site. “If the update
has been successful, the worm will reboot the computer so the update takes
effect,” Friedrichs explained, warning that the worm presents a danger
regardless of its attempts to fix an affected system.
“With a worm like that, it may sound like it’s doing a good job but it’s
still infecting systems It’s still something that needs to be eradicated,”
Friedrichs added.
Ken Dunham, a manager at security specialist iDefense, said the new worm
opens TCP port 707, which could lead to exploitation by a malicious actor.
“This upgrades the threat significantly,” Dunham said. ‘Some may call this
a good virus, but it can cause all sorts of problems when patches are
applied to a computer, unbeknownst to the administrator of that computer,”
he added.
According to Dunham, the new Welchia copycat doesn’t attempt to remove
itself from an infected computer until the year 2004. “This may be an
attempt for the worm to spread in the wild, patch vulnerable computers,
until most computers successfully update against the RPC vulnerability
exploited by DCOM RPC based worms,” he explained.
Symantec’s Friedrichs said the spread of Blaster appeared to be on the
decline. “Over the last 48 hours, we’ve seen a decline in infections by
about 15 to 20 percent. It’s down but its still out there. It also tells
us that there are a lot of unpatched systems, even today,” he added.
He said the latest data show more than 572,000 unique infections since
the worm first started to propagate on August 11. “The worm is now spreading
at about 15 percent of the rate it was at its highest peak. However, it will
not disappear until more systems deploy the security patch and/or deploy
firewall rules to block the relevant ports, in addition to having updated
virus definitions,” he added.
Symantec expects to see this worm or variants of it continuing to spread
in the wild for many months, but at much reduced rates.
iDefense’s Dunham echoed calls for users to update against the DCOM RPC
vulnerability. “Thousands of computers have been compromised with Trojans
as well as hundreds of thousands of computers compromised by recent DCOM RPC
based worms,” he added.