IDG News Service - Security experts today warned of the first self-propagating virus to take advantage of a widespread vulnerability reported last month in Microsoft Corp.'s Windows operating systems.
Known by various names, including Blaster and Lovsan, the worm virus has begun to infect computers at homes and businesses and could clog the Internet with traffic and allow a malicious hacker to steal or corrupt data stored in an infected system, experts said.
The vulnerability, a buffer overrun in a Windows interface that handles the remote procedure call (RPC) protocol, was acknowledged by Microsoft in a security bulletin posted July 16 (see story). Along with government and private security organizations, Microsoft has been urging customers to install a security patch in order to protect against attack.
The flaw affects several versions of Windows, including Windows NT 4.0, Windows XP and Windows Server 2003, making potential targets of millions of desktop and server computers. Experts have warned of the potential for serious disruption of the Internet.
Symantec Corp. said today that based on the number of submissions received from customers and information from Symantec's DeepSight Threat Management System, Symantec Security Response had upgraded the threat to a Category 4 level.
Category 4 means that the virus is considered "dangerous [and] difficult to contain," Cupertino, Calif.-based Symantec said in a statement on its Web site. "The latest virus definitions should be downloaded immediately and deployed."
According to Symantec, the worm contains the following text, which is never displayed: "I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!"
In a statement on its Web site, Helsinki, Finland-based F-Secure Corp. gave the virus its highest level alert, which is issued for a "worldwide epidemic of a serious new virus."
The spread of the worm appeared to increase rapidly today.
Yesterday, Tokyo-based security vendor Trend Micro Inc. said it had received reports of several infected machines. The worm was observed scanning for vulnerable systems and then sending itself to those machines using Port 135, the company said. The worm will also launch a denial-of-service attack against Microsoft's www.windowsupdate.com Web site on Aug. 16 and Aug. 31, and on every day from Sept. 1 through the end of the year, Trend Micro said.
Trend Micro gave the worm an overall risk rating of medium but rated the damage and distribution potential as high. Network Associates Inc.'s McAfee unit also rated the worm "medium on watch" for both home and business users.
Netsolve Inc., an IT services company in Austin that provides managed security services to about 1,000 businesses, said the worm was spreading rapidly and had been observed in several of its customers' networks yesterday afternoon. However, Chuck Adams, the company's chief security officer, said it was too early to say for sure how much damage, and what type of damage, the worm will cause.
"The impact is pretty small right now, but based on the analysis we've done on the (exploit) code we've captured, it's going to be a propagation pattern similar to SQL Slammer," he said, referring to a widespread worm that affected Microsoft's SQL Server 2000 database earlier this year.
Based on Netsolve's early observations, Blaster isn't likely to spread as widely as SQL Slammer, Adams predicted.
"I don't think it will be as large because there are some limitations" to Blaster, he said. For example, SQL Slammer tried to take advantage of multiple Windows vulnerabilities, while Blaster appears to exploit only one, he said.
The most troubling aspect of Blaster is that besides propagating itself, the worm installs a backdoor program on infected systems and reports back to an Internet relay chat server that the system has been compromised, Adams said. A malicious hacker could use that information to identify a compromised system and then attempt to delete or access data stored on it, he said.
Computerworld's Ken Mingis contributed to this report.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
