Nachi -- also dubbed MSBlast.D and Welchia -- is a variant of the MSBlast worm that started spreading on Monday and swamped corporate networks with its attempts to compromise computers. The worm aimed to patch vulnerable computers before the original MSBlast infected them, but its aggressive scanning for systems disrupted corporate networks.
The mass-mailing virus Sobig.F, which targets Windows computers, started multiplying on Tuesday morning, quickly adding to the network havoc.
America Online said it scanned 40 million email attachments on Wednesday -- about four times the average daily volume -- and found more than 23 million copies of the Sobig.F virus. In addition, the number of support calls from home users jumped significantly because of the reaction of other email systems to the virus, said Nicholas Graham, a spokesperson for the Internet service giant.
"This virus makes people think that they have been hacked, because they see the emailer notifications that have bounced back," Graham said.
Sobig.F, like previous variants of the virus, forges the source address of every email it sends, using addresses culled from the Windows address book or found in cached Web pages. When email gateways detect a message with a virus attached, they typically dispatch a warning about the infection to the sender. In the case of Sobig.F, the response is sent to a person that most likely hasn't been infected.
"We are getting very successful at blocking the messages from email daemons (server programs)," Graham said.
AOL estimates that it blocks as much as 75 percent of automatically generated email messages. The other 25 percent accounted for a 25 million-message increase in the amount of email that AOL processed over the past two days, Graham said.
Down to the roots
Internet service provider VeriSign said it was able to measure the effects of the Sobig virus, and estimated that at least 100,000 computers on the Internet had been infected by the virus.
The ISP said it saw a dramatic increase in the number of mail-record lookups processed by its domain name system (DNS) root server in the past 24 hours. The increase was caused by the component of the Sobig.F virus that sends email, it said.
The Sobig.F virus spreads by sending a copy of itself to the addresses in an email message with a subject line such as "Your Details," "Re: Approved," and "Thank you!" The virus also spreads by copying itself to shared network hard drives that are accessible to the infected computer.
Every time the mini-mail server sends off a copy of the virus, it looks up data from the DNS root servers, the authoritative address books of the Internet. VeriSign controls one of the 13 primary servers and has seen an amount of mail-record lookups jump by a factor of 20 since Tuesday morning, according to John Ferguson, director of marketing for security services for the company.
"The majority of the messages that are sent across the Internet normally don't come up to the root level," Ferguson said. "Now, (infected computers in) thousands of networks are doing the lookups."
Ferguson said that VeriSign has found lookups coming from several tens of thousands of network addresses, making it very likely that at least 100,000 computers are infected by the Sobig.F virus.
On Thursday, Symantec said that the Nachi worm -- which the company calls W32.Welchia -- combined with the original MSBlast worm had infected more than a million Windows computers. In four days, the number of computers compromised by the MSBlast variant had surpassed the original worm, according to Alfred Huger, senior director of engineering for Symantec's security response team.
"There are a lot of companies that have been disrupted by W32.Welchia," Huger said. "A lot of the people who are getting it under control are doing so because it couldn't get any worse."
Downing tools
MSBlast and its variants, and the Sobig.F virus, have disrupted several companies, including those responsible for critical parts of the United States' infrastructure.
- Defence contractor Lockheed Martin had less than 1 percent of its systems infected, but still had disruptions.
- The Massachusetts Institute of Technology found its email servers congested from the amount of messages created.
- Railway and freight hauler CSX had to stop trains because of the Nachi worm, the Associated Press reported.
- Airline Air Canada cancelled flights on Tuesday because its network couldn't deal with the amount of traffic generated by the Nachi worm.
- The Pentagon and military had myriad infections of the Sobig.F virus and the Nachi worm, various news agencies reported.
The MSBlast worm also continued to have some unforeseen effects on non-Microsoft hardware.
Hewlett-Packard revealed on its customer support Web site that its HP OpenView network management software has been hit by the specific type of data that MSBlast uses to compromise vulnerable computers.
"HP OpenView has determined that the worm virus recently referred to as 'Blaster'...may impact HP OpenView products running on Microsoft Windows, HPUX, Solaris and Linux," the company stated in an advisory. An HP spokesperson couldn't be immediately reached for comment.
In addition, network administrators reported on a newsgroup that telecommunications equipment maker Lucent Technologies' TNT MAX network gateway crashed due to some interaction with traffic created by the MSBlast worms. A representative for the company confirmed that Lucent was investigating the issue, but couldn't supply details.
The Slammer worm that took advantage of a six-month-old security flaw in Microsoft's SQL Server and related database software also affected non-Microsoft products. Several products contained the vulnerable code.
Talkback
What I find really surprising is how can someone be so brain dead to implement Microsoft products in critical applications. I don't blame sysadmins, but rather
the higher IT bosses who buy absolutely anything from Microsoft PR types who are getting paid to over-glorify the "superiority" of Microsoft products.
I don't sped a lot of time watching TV, but reports should follow of such issues. Especially you won't hear something like "Instead of spending all your time looking for new patches and latest antivirus definitions why not install Linux".
If all critical applications are switched over to Linux then in future there will never be headlines like "MSUtter.P (just a random name) 'Worm virus' (sound ridiculous? I KNOW!) has been the worst case of DDOS completely wiping out even Microsoft's internal network for developers so the patch is not likely to be developed for another several months. The reason is a very unusual one: the central servers which contain source code for Windows have been infected by MSUtter.P and the files have been encrypted with random 14336 bit codes generated from MD5
hashes of randomly reading lines of the file itself. Microsoft decided that unencrypting the source code is impossible". The only backups of 1 months old code tree was on a Linux server which everyone forgot about, luckily this server wasn't affected by MSUtter.P. Under those circumstances Microsoft needs to use the source code found on the Linux file server and redo the last month's work entirely! Coders are staying in late, some haven't left the building in several days already. Sleeping bags can be found in corners of offices...."
Just a though
Best regards
Oleg M