21 Aug 2003 13:01
After several months of relative calm on the virus front, with only low-level threats, last week the MSBlast worm assaulted many networks and wreaked havoc on a lot of PCs. This week, the Welchia worm -- which is actually supposed to remove Blaster -- arrived and began causing additional problems. Not only that, but a hot new version of the old Sobig mass-mailing worm has turned lethal and begun infecting many systems with its own brand of mischief.
MSBlast
Despite repeated warnings from Microsoft, columnists, and even the US federal government, a lot of systems are experiencing serious denial of service (DoS) attacks from the worm (also know as Msblast.exe, Blaster, Lovesan, and Posa) worm. Blaster takes advantage of a DCOM RPC vulnerability in newer Microsoft Windows operating systems. If an unpatched system with an open port 135 is attacked, the worm will attempt to install and run msblast.exe.
Fortunately, the initial worm was poorly designed. However, by Wednesday 13 August, Kapersky Labs reported that its security team had already seen a slightly "improved" version that could coexist in the same computer with the original version -- meaning that you can have two Blaster infections simultaneously. Files in the new version are teekids.exe (5.3K) and penis32.exe (7.2K).
As CNET News.com reported, "MSBlast does not spread via email. Instead, it scans the Internet on port 135 looking for vulnerable computers. When it finds one, it attempts to exploit the DCOM RPC buffer overflow, create a remote root shell on TCP port 4444, then use FTP to download a file called msblast.exe onto the infected computer. MSBlast contains a denial-of-service (DoS) attack aimed at Microsoft's windowsupdate.com. The attack will start on 15 August and continues throughout the end of the year."
Fix
This worm is easy to block by closing port 135 or by applying the Microsoft patch provided in Microsoft Security Bulletin MS03-026. But what if you have an infected system? Many users with the infection report their computers are rebooting so often and generating so many error reports that they are unable to download the patch.
Simply activating Windows XP's minimal Internet Connection Firewall (ICF) appears to make it possible for XP-based systems to stay online and download removal tools or the patch. Symantec reports that other firewalls may be able to provide the necessary protection to help repair the system even after infection.
Symantec has also made available a free Blaster removal tool that deletes instances of the worm files and eliminates the registry values it adds. Other vendors' sites with removal instructions or tools include F-Secure, McAfee, and Trend Micro.
For those who can read this report but can't stay online long enough to download either the patch or one of the removal tools, here is some hands-on help offered by Global Hauri, which markets ViRobot Experthi.
Global Hauri's Blaster removal instructions
Now you will be able to install antivirus software (or update the latest antivirus definitions) and the Microsoft security patch. For advanced users, Global Hauri recommends this extra step: Go to the registry and remove the key reg. msblast.exe from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Welchia
A worm released with the intention of fixing computers infected with Blaster is making the rounds and is causing far more damage than Blaster did. Welchia (also known as W32/Welchia.worm10240, W32/Nachi.worm, WORM_MSBLAST.D, and Lovsan.D) attempts to remove Blaster and download/install the required system patch.
The problem with Welchia, besides the fact that it's just another cyberthreat, is that it takes over the "patched" system and uses it to scan the Internet for other Blaster-infected systems -- and the bandwidth consumption is bringing individual systems and networks to their knees. Symantec has a report on Welchia, which includes a link to a removal tool and detailed manual removal instructions.
Sobig.F
The latest version of Sobig can infect a system only if a user opens a malicious email and then opens an attachment. Like other versions of Sobig, this one comes complete with an email client and attempts to spread itself to email addresses gleaned from the compromised computer.
The attachment always seems to be a filename ending in .pif, and the subject lines are intelligently designed to get people to open the attachment. Some examples are: RE: Details, RE: Approval, RE: Thank You, and RE: Your Application.
This is a very large worm (72K). Removing it from systems will be a complex undertaking, since you'll have to disconnect each compromised PC from any network before cleaning it. Details and removal instructions are available at the following security sites:
Final word
These three worms have brought down networks large and small. The information, links, and instructions provided here can help you avoid these nasty little devils or remove them if they have already infected systems on your network.
Copyright © 1995-2008 CNET Networks, Inc. All rights reserved
ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a service mark of CNET Networks, Inc.