August 18, 2003 11:49 AM PDT
New MSBlast variant plugs hole
The new worm, dubbed W32.Welchia, W32/Nachi and Worm_MSBlast.D, appears to properly download the patch for both Windows 2000 and Windows XP from Microsoft's Web site. Moreover, the variant will delete itself the first time an infected computer starts up in 2004.
That doesn't mean that such worms are a good idea, said Joe Hartmann, North American director for antivirus research at security software firm Trend Micro.
"This is just a regular worm like anything else," he said. "In the end, they are going to cause more trouble than they help."
Despite the apparent lack of malicious intent, the worm still sends a great deal of unwanted traffic, as it tries to spread to other computers. In addition, if several computers download the patch from Microsoft at the same time, it could slow network performance, Hartmann said.
"That's the way we found out about this--when our clients came to us complaining of slow network performance," he said.
The original variant of the MSBlast worm continued to spread over the weekend and has likely infected more than 570,000 computers, according to security firm Symantec. The company's data measures the number of Internet addresses that show signs of a worm infection. Because Internet addresses don't correspond to single computers, the number is a rough estimate of total infections. Moreover, it is uncertain what fraction of those compromised computers has been cleaned of the infection.
Oliver Friedrichs, senior manager for Symantec's security response center, agreed that worms aren't a good way to distribute patches.
"I don't necessarily think whenever you infect someone's systems, install software and reboot the computer that that is a good thing," he said. "It still tries to propagate; it is still attacking people over the Internet."
The patching worm doesn't install software on all computers. The latest variant of MSBlast only plugs the security holes on the English, Korean and Chinese versions of Windows XP and Windows 2000. And it doesn't remove infections that have already compromised a computer.
The latest variant of the worm comes three days after Microsoft managed to dodge a denial-of-service attack promised by the original worm. The attack, which would have leveled a flood of data at Microsoft's Windows Update site, was foiled when the software giant deleted the address the worm was targeting. The worm is expected to continue to spread despite the aborted attack.
Microsoft also announced on Friday that an e-mail hoax is circulating. The subject line of the e-mail is "updated," and the message appears to contain a critical update to patch systems against the MSBlast worm. In reality, clicking on the attached file will infect the recipient's computer with a Trojan horse program. Antivirus company Sophos dubbed the new program Graybird. Microsoft warned consumers that it never uses e-mail to distribute patches.