First Clones of MSBlaster Worm Detected

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
The first variants of the MSBlaster worm has hit the Internet.

Both Sophos, Inc. and Central Command, Inc., anti-virus and security companies, report todaythat MSBlaster, also known as Lovsan, has been cloned into two very similar variants withminor alterations made to apparently try to escape detection.

''The original author of Worm/Lovsan was successful at infecting hundred's of thousands ofcomputers worldwide,'' says Steve Sundermeier, vice president of products and services atCentral Command. ''Unfortunately, history has proven that this type of success usuallygenerates a litter of copycat creations.''

What Sophos is calling MSBlaster-B is a functional equivalent to the original worm, exceptfor a different file name and registry entry, report Sophos analysts. The internal messagealso has been changed. In the original worm, it read: 'billy gates why do you make thispossible? Stop making money and fix your software!' The wording in one variant has beenchanged to a more graphic message, this time aimed at Microsoft and anti-virus vendors.

Security experts have been warning IT managers that Monday's detection of the originalBlaster worm was just the beginning.

''I'm afraid this is just the beginning,'' says Dan Ingevaldson, an engineering manager withAltanta-based Internet Security Systems, Inc. ''We're going to be dealing with this worm, orvariations of this worm, for some time... I'm worried about the fact that there are still somany vulnerable machines out there.''

MSBlaster, the original and the new variants, exploit a flaw with the Remote Procedure Call(RPC) process, which controls activities such as file sharing. The flaw enables the attackerto gain full access to the system. The vulnerability itself, which affects Windows NT,Windows 2000 and Windows XP machines, affects both servers and desktops, expanding the reachof any exploit that takes advantage of it.

Where the vulnerability affects servers and desktops in such popular operating systems,there are potentially millions of vulnerable computers out there right now. The securityindustry sent out a widespread warning about two weeks ago, spurring many companies toinstall the necessary patch, which was available from Microsoft almost a month ago.

Security analysts worry that there are still millions of unpatched machines vulnerable tothe new worm.

Dan Ingevaldson, an engineering manager with Altanta-based Internet Security Systems, Inc.,says they did some testing within the last few days and found that about 70 percent ofsystems were still unpatched.

Submit a Comment

Loading Comments...