Self-Propagating Worm Spreads

Security experts are warning of the first self-propagating virus to take advantage of a widespread vulnerability reported in Microsoft Windows in July.

Known by various names, including Blaster and Lovesan, the worm virus has begun to infect computers at homes and businesses and could clog the Internet with traffic and allow a malicious hacker to steal or corrupt data stored in an infected system, experts say.

Acknowledged Hole

The vulnerability, a buffer overrun in a Windows interface that handles the RPC (Remote Procedure Call) protocol, was acknowledged by Microsoft in a security bulletin posted July 16. Along with government and private security organizations, Microsoft has been urging customers to install a security patch in order to protect against attack.

The flaw affects several versions of Windows, including Windows NT 4.0, Windows XP, and Windows Server 2003, making potential targets of millions of desktop and server computers. Experts have warned of the potential for serious disruption of the Internet, although it wasn't immediately clear how rapidly the worm was spreading.

Security vendor Trend Micro says it has received reports of several infected machines Monday. The worm was observed scanning for vulnerable systems and then sending itself to those machines using port 135, company representatives say. The worm is also scheduled to launch a denial of service attack against Microsoft's windowsupdate.com Web site on August 16 and August 31, and on every day from September 1 through the end of the year, Trend Micro says.

Trend Micro gives the worm an overall risk rating of medium, but rates the damage and distribution potential as high. Network Associates's McAfee unit also rates the worm "medium on watch" for both home and business users.

Blaster Spotted

Netsolve, an information technology services company that provides managed security services to about 1000 businesses, says the worm is spreading rapidly and was observed in several customer networks Monday afternoon. However, Chuck Adams, the company's chief security officer, says it is too early to say for sure how much damage, and what type of damage, the worm will cause.

The most troubling aspect of Blaster is that as well as propagating itself, the worm installs a "back door" program on infected systems and reports back to an Internet relay chat server that the system has been compromised, Adams says. A malicious hacker could use that information to identify a compromised system and then attempt to delete or access data stored on it, he adds.

"The impact is pretty small right now, but based on the analysis we've done on the (exploit) code we've captured, it's going to be a propagation pattern similar to SQL Slammer," he says, referring to a widespread worm that affected Microsoft's SQL Server 2000 database earlier this year.

However, based on Netsolve's early observations, Blaster isn't likely to spread as widely as SQL Slammer, Adams predicts.

"I don't think it will be as large because there are some limitations" to Blaster, he says. For example, SQL Slammer tried to take advantage of multiple Windows vulnerabilities, while Blaster appears to exploit only one, he adds.