Click here for advice on countering the worm.
By midafternoon on Monday, the worm had infected at least 7,000 computers in a matter of hours, according to data provided by security company Symantec. Still, security experts stressed that the program had several flaws that had slowed its spread.
"You are not going to see the rapid uptake of Slammer. However, it could easily be as large as Code Red," said Symantec's senior director of engineering, Alfred Huger, referring to the lightning-fast Slammer worm, which hit Microsoft SQL servers in January, and the Code Red worm, which gobbled up servers in July 2001.
The Code Red worm spread slowly at first, then quickly, after someone modified the program to fix a flaw in its code. Huger said it was likely that an online vandal would take on the task of modifying MSBlast as well.
"I think there is a really strong chance that this will be modified and re-released, if not today, then this week," Huger said. "It's very simple to unpack and very simple to modify."
The introduction of the MSBlast worm ends nearly a month of speculation over when a programmer would commit the obvious crime of writing a worm to take advantage of a vulnerability in a widely used feature of Microsoft Windows. The worm pieces together code to exploit the most recent major flaw in Windows with publicly available tools, such as the Trivial File Transfer Protocol (TFTP) server.
The worm is also known as W32.Blaster and W32/LuvSan.
The worm could turn out to be quite an irksome bug for Microsoft. It reinforces the notion that despite the software giant's 18-month-old Trustworthy Computing initiative, Microsoft software still has security issues.
And it also aims to attack the company's network directly. Starting on 16 August, every computer infected with MBlast will start flooding the Microsoft's Windows Update service with legitimate-looking connection requests. The denial-of-service attack could slow down, and even halt access to, the primary way Microsoft customers receive updates for their computers.
MSBlast's first attack will last until the end of the year, security researchers said, adding that the coding of the worm will cause it to continue the attack in the latter half of each month for the first six months of 2004.
The worm contains two messages in its code. One is addressed to Microsoft founder Bill Gates: "billy gates why do you make this possible?" it says. "Stop making money and fix your software!!" The other message is a "greet" -- an underground programmer greeting -- to another person, which could be a lead for any law enforcement agencies that pursue the worm's author.
Microsoft may find a way to deflect the attack, as did the White House's technical staff when the Code Red worm aimed a denial-service attack at the whitehouse.gov Web site. The flaws in MSBlast may also slow it down.
"The worm is obviously messing things up, and it's going to get worse," said Marc Maiffret, chief hacking officer for security software maker eEye Digital Security. "But if it wasn't using (such poor methods), it would be much more effective."
The worm attacks Windows computers via a flaw in a component of the OS that allows other computers to ask Windows systems to perform an action or service. Microsoft warned about the flaw on 16 July. The component, known as the remote procedure call (RPC) process, facilitates activities such as sharing files and allowing others to use a computer's printer. By sending too much data to the RPC process, an attacker can cause the system to grant full access to its resources.
MSBlast installs the TFTP server and runs the program to download the MSBlast code to the compromised server. But the way the worm causes a compromised computer to download the file is very inefficient, Maiffret said. Moreover, although MSBlast can detect whether a machine is already infected, it has to compromise the machine again before it can check.
Starting with a random Internet address, the worm sequentially scans for computers with the vulnerability. Because the scanning process is not completely random, the worm is likely to cause a lot of excess traffic on the network. It also adds a registry key to ensure that the worm is restarted when the host computer is rebooted.
Experts have feared that a worm created to take advantage of the Microsoft flaw could have an effect similar to that of the Slammer worm that downed corporate networks in January.
That worm spread to corporate networks worldwide, causing databases to go down, bank teller machines to stop working and some airline flights to be canceled. Six months earlier, a researcher had released code that exploited the major Microsoft SQL vulnerability used by the worm to spread.
Much of the damage caused by Slammer was due to the high volume of traffic that it caused. MSBlast's slower infection rate is likely to mean that it will not cause as much damage.
Security experts and network administrators continue to analyse the worm and patch their networks. Microsoft Windows users can update their operating systems through the company's Windows Update service. More information about the flaw and work-arounds are available in the advisory posted on Microsoft's site.
Talkback
I fought the worm. Took me all day to get it off my computer. I first noticed the Win 32 generic host 32 message as early as Thursday or perhaps wednesday on my computer. It was then shutting down my computer about evey 3 or 4 hours or so, and sometime after 6AM Pacific daylight time it started knocking me off line and rebooting its self until I got up a 4:00 pm PSDT and then its average time between rebooting was 2 minutes.
I do not know where it came from. But I do know I had if for sure since last Wed or Thrus.
I downloaded a patch from a site AOL Tech support sent me ( God bless Cable connections ) it only took like a few seconds to get online and I managed to down load the patch and ran it from site, and it downloaeded and fixed the problem. I will also say Trend micro systems free online scan was able to say it found it and removed it but it was not removed . the patch from the website they sent me is what worked.
I was hit yesterday afternoon when trying to get on the net. It pushed me off the net and caused my computer to reboot. At first I was totally clueless as to what was going on. I switched to other service providers (as we have several accounts) and I was quickly hit again. Then I realized it was a hacker. I went into my computer cartons and found the Norton utilities I never installed and installed it. It zapped the worm and I was able to surf again. The worm affected over 275 files, mostly my Word files but they seem to be safe after the Norton utility neutralized them.
It was quite a learning experience for a novice internet user like myself. From now on I venture into the space of the internet with Norton utilities. Your site was very prompt in putting out the word on this worm. This was also very helpful to me because I wanted confirmation that it was indeed a hacker.
This is absolutely insane ! I've never had a virus, and what is Anti-virus protection software for anyway. Now, I've run the removal tool, and it's removed the virus, but now I'm trying to download the patch, and it gives me an error "setup could not verify the integrity of the file update.int. Make sure the crytographic service is running on this computer" Now what am I supposed to do with that ? --Now after the virus was removed--because I cannot install the patch--the virus is still there....
PLEASE HELP !
Jesus H Christ. Just because your computer got hit with a worm doesn't mean you had a "hacker" after you. Learn what is what before you open your mouth to insert your foot.
That is very easy. The "cryptographic" service is - a service! In order to turn it on, go to the Control Panel and then click on "Performance and Maintanance", then click on "Administrative" tools, and finally, click on the "Services" shortcut icon (grey, yellow gear).
A list of services will come up, with their name, and startup type, as well as weather or not it's turned on.
If you look in the "C" listing, you'll see "Cryptographic", right click on that, and choose start.
You may also double click on it, and in the middle of the dialog box that prompts up, where it says "Startup Type", select the "Automatic".
Click OK, and Exit out. Then try to re-apply the patch and see if it works.
Hope this helps (If you even come back to read this).
The worm attacked our Companies Network Yesterday and all system went down immediately.
We have cleared things yesterday evening.We have never been attacked with virus before and this is the first time we had such an experience.
We have taken steps to future attacks like this.
Dear Sir,
I was hit by the MSBLAST.EXE worm at 8.28pm (BST) 11 Aug 2003.
I first noticed SVCHOST.EXE read/write errors; then I could not disconnect
my dial-up ISP; then PASTE didn't work, etc.
I have been using Windows NT and then 2000 since 1997 and have never had a
worm/virus problem before, despite the fact that I don't have anti-virus
software installed (would it have saved me from MSBLAST?).
What is so special about the MSBLAST worm? Why haven't I been hit before?
Regards,
Derek O'Connor,
Donard,
Co. Wicklow,
IRELAND