CDROM-Guide forums

Go Back   CDROM-Guide forums > Main Forums > Open to All Computer Related Topics > Computer Networking & Security
FAQ Calendar Mark Forums Read
Open   CSec   Data   DevDrv   CoOp   Audio   CDRW   CDG   VCD   DVD   HD DVD   Mac   VGB   PS2   DC   Xbox  

Thread Tools Display Modes
Old Aug 18, 2003, 10:50 PM
copyright copyright is offline
Join Date: May 2003
Posts: 693
Default ***First Ever So Called Good Virus-Fixes MS Blaster**

sponsored links

New MSBlast variant plugs hole

By Robert Lemos
Staff Writer, CNET
August 18, 2003, 11:49 AM PT

A variant of MSBlast spread on Monday, but the new worm has an odd twist: It applies a patch for the vulnerability that it and other MSBlast worms use to infect Windows systems.

The new worm, dubbed W32.Welchia, W32/Nachi and Worm_MSBlast.D, appears to properly download the patch for both Windows 2000 and Windows XP from Microsoft's Web site. Moreover, the variant will delete itself the first time an infected computer starts up in 2004.

That doesn't mean that such worms are a good idea, said Joe Hartmann, North American director for antivirus research at security software firm Trend Micro.

"This is just a regular worm like anything else," he said. "In the end, they are going to cause more trouble than they help."

Despite the apparent lack of malicious intent, the worm still sends a great deal of unwanted traffic, as it tries to spread to other computers. In addition, if several computers download the patch from Microsoft at the same time, it could slow network performance, Hartmann said.

"That's the way we found out about this--when our clients came to us complaining of slow network performance," he said.

The original variant of the MSBlast worm continued to spread over the weekend and has likely infected more than 570,000 computers, according to security firm Symantec. The company's data measures the number of Internet addresses that show signs of a worm infection. Because Internet addresses don't correspond to single computers, the number is a rough estimate of total infections. Moreover, it is uncertain what fraction of those compromised computers has been cleaned of the infection.

Oliver Friedrichs, senior manager for Symantec's security response center, agreed that worms aren't a good way to distribute patches.

"I don't necessarily think whenever you infect someone's systems, install software and reboot the computer that that is a good thing," he said. "It still tries to propagate; it is still attacking people over the Internet."

The patching worm doesn't install software on all computers. The latest variant of MSBlast only plugs the security holes on the English, Korean and Chinese versions of Windows XP and Windows 2000. And it doesn't remove infections that have already compromised a computer.

The latest variant of the worm comes three days after Microsoft managed to dodge a denial-of-service attack promised by the original worm. The attack, which would have leveled a flood of data at Microsoft's Windows Update site, was foiled when the software giant deleted the address the worm was targeting. The worm is expected to continue to spread despite the aborted attack.

Microsoft also announced on Friday that an e-mail hoax is circulating. The subject line of the e-mail is "updated," and the message appears to contain a critical update to patch systems against the MSBlast worm. In reality, clicking on the attached file will infect the recipient's computer with a Trojan horse program. Antivirus company Sophos dubbed the new program Graybird. Microsoft warned consumers that it never uses e-mail to distribute patches.
Source: ********
Old Aug 18, 2003, 10:51 PM
copyright copyright is offline
Join Date: May 2003
Posts: 693

What you guys think? This is the first of its kind, this just might be the new trend, maybe even antivirus groups will make even more....
Old Aug 18, 2003, 11:10 PM
Darkman Darkman is offline
Join Date: Aug 2000
Location: Australia
Posts: 6,424

Yes but how do you tell if the varient you have is the one with the 'good payload' compared to one that some script kiddy has altered to include a trojan?

I agree with some of the comments in the quote, regardless of the payload the worm still generates un-necessary traffic, it runs a process you don't control. To me it's the next phase in worm propagation - using social engineering to encourage people to help spread the thing. If the worm can get to enough systems and request the same patch from the same site then it's still launching an effective DOS attack.
Old Aug 19, 2003, 12:01 AM
Insomniac Insomniac is offline
Join Date: Jul 2000
Location: Sydney, Australia. Where else would you want to live?
Posts: 5,746

I think this is just another worm in a different guise. If it unknowingly infects your computer without warning, and operates without any user input or knowledge, then that to me is undesirable. It would be interesting what would happen if this worm was blocked by a firewall and unable to achieve its purpose. Who knows what the result would be having more than one form of the worm, not to mention viruses?

I think Trojan is a better description. These worms, trojans and viruses rely on one main thing, that there will always be a certain number of users who don't have adequate security. Spreading patches via worms wont go towards reducing this threat. The only way is to educate as many users as possible and to ensure that software is as effective as possible.

And we all know how achievable that is.
Old Aug 19, 2003, 12:20 AM
copyright copyright is offline
Join Date: May 2003
Posts: 693

Valid Opinions.....

Im wondering wether antivirus companys will include this worm in their definitions....
Old Aug 20, 2003, 12:38 AM
zack371 zack371 is offline
Join Date: Jul 2000
Location: USA
Posts: 1,944

Don't like this at all. Trust me. I work with Network Integrity/Security on a daily basis. It is my job. This new work is a pain. Yes, it does actually fix the W32Blaster vulnerabilty, BUT, it still broadcasts out all over the place trying ro find new machines to "infect" and "fix." It generates a lot of unnecessary network traffic (and I mean A LOT). There are already articles about companies being severely impacted performance-wise by this thing. Luckily in my organization, MOST of our systems don't run any super-customized or proprietary software, so we are able to patch systems almost immediately. However, some organizations must EXTENSIVELY test new OS patches and their impact on their applications before they can be rolled out. . .

Anyways, this thing is a pain and I hope it does not start a trend.

Just my opinion.



Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
<<<<<<<<<Novarg Virus - Read In>>>>>>>>>> gooner Open to All Computer Related Topics 4 Jan 27, 2004 07:37 PM
Do I Have A Virus? Skyline_Dragon Computer Networking & Security 1 Jan 04, 2004 08:03 PM
virus help please............... rab Open to All Computer Related Topics 5 Apr 02, 2003 11:52 AM
Virus Warning Look In GASPOWEREDPORCHMONKEY Open to All Computer Related Topics 5 Mar 04, 2003 04:56 PM
Warning Virus E-mails Going Around FOTH'S Computer Networking & Security 2 Sep 10, 2002 12:56 PM

All times are GMT -5. The time now is 08:51 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Copyright 1996-2009 All rights reserved