Even as Microsoft is proclaiming victory in its efforts to thwart the Windows 'Blaster' virus, security firms are warning that several copycat worms are making the rounds, including one that installs itself on vulnerable systems and deletes the Msblast.exe worm.
According to Symantec Security Response, the new W32.Welchia.Worm exploits the DCOM RPC vulnerability and looks for the existence of the Msblast.exe file dropped by the W32.Blaster.Worm. The 'fixer' worm then deletes blaster from an affected system.
Oliver Friedrichs, senior manager as Symantec, told internetnews.com the Welchia variant also attempts to download the DCOM RPC vulnerability patch from Microsoft's update site. "If the update has been successful, the worm will reboot the computer so the update takes effect," Friedrichs explained, warning that the worm presents a danger regardless of its attempts to fix an affected system.
Ken Dunham, a manager at security specialist iDefense, said the new worm opens TCP port 707, which could lead to exploitation by a malicious actor. "This upgrades the threat significantly," Dunham said. 'Some may call this a good virus, but it can cause all sorts of problems when patches are applied to a computer, unbeknownst to the administrator of that computer," he added.
According to Dunham, the new Welchia copycat doesn't attempt to remove itself from an infected computer until the year 2004. "This may be an attempt for the worm to spread in the wild, patch vulnerable computers, until most computers successfully update against the RPC vulnerability exploited by DCOM RPC based worms," he explained.
Symantec's Friedrichs said the spread of Blaster appeared to be on the decline. "Over the last 48 hours, we've seen a decline in infections by about 15 to 20 percent. It's down but its still out there. It also tells us that there are a lot of unpatched systems, even today," he added.
He said the latest data show more than 572,000 unique infections since the worm first started to propagate on August 11. "The worm is now spreading at about 15 percent of the rate it was at its highest peak. However, it will not disappear until more systems deploy the security patch and/or deploy firewall rules to block the relevant ports, in addition to having updated virus definitions," he added.
Symantec expects to see this worm or variants of it continuing to spread in the wild for many months, but at much reduced rates.
iDefense's Dunham echoed calls for users to update against the DCOM RPC vulnerability. "Thousands of computers have been compromised with Trojans as well as hundreds of thousands of computers compromised by recent DCOM RPC based worms," he added.