The U.S. Department of Homeland Security (DHS) yesterday released an advisory warning users that a variant of last week's Blaster worm, dubbed "nachi," "welchia" or "msblast.D," could cause denial-of-service conditions within organizations.
Meanwhile, a new variant of the Sobig worm, dubbed W32/Sobig-F, is spreading rapidly via e-mail and network shares, security companies warned today.
The Blaster variant takes advantage of the same security weakness as the Blaster worm and infects only systems that haven't been properly patched (see story).
After infecting a vulnerable Windows 2000 or Window XP machine, the new worm searches for and removes the Blaster worm file and attempts to download and install a patch from the Windowsupdate.com Web site to close the hole.
If the patch installation is successful, the worm then automatically reboots the machine and promptly begins looking for other machines on the network on which to copy itself.
The scanning process can flood networks with high volumes of Internet Control Message Protocol (ICMP) traffic, causing "network congestion which can result in denial of service conditions," according to the DHS advisory.
"This may be a symptom of the worm's propagation and not designed intentionally as a denial of service attack," the DHS note added.
But Russ Cooper, editor of NTBugTraq and an analyst at Herndon, Va.-based TruSecure Corp., said the denial-of-service conditions created by the so-called "do-gooder worm" could be deliberate.
"I'm surprised that the DHS would say this may be a symptom of the worm's propagation and not designed as a DDOS [distributed denial-of-service attack]," he said. "Whether it was intentional or otherwise, this is malware, which is having very harmful effects."
Because the worm is programmed to scan internal (Class B) networks, it could seriously degrade performance on enterprise networks, Cooper added.
The automatic patching of vulnerable systems that the worm is programmed to do can also cause systems to crash in many cases, he said.
"There is no such thing as a good worm," Cooper said. "It is impossible to control the effects of something which arbitrarily attacks other systems via a security vulnerability."
According to the DHS advisory, it's still unclear what other actions the variant is programmed to take on infected machines. "There may be other malicious aspects of this worm such as the installation of back doors that allow intruders to access or control infected machines," which are still unknown, the note said.
Organizations need to ensure that all systems are properly patched against the Windows remote procedure call (RPC) vulnerability that Blaster took advantage of, the DHS said.
It's also important to block MS-RPC ports where possible and monitor networks for unusual levels of ICMP traffic and traffic for Port 707, which the worm reportedly uses, the note added.
According to Dan Ingevaldson, a member of Atlanta-based Internet Security Systems Inc.'s X-Force team, Nachi isn't a Blaster variant at all but an entirely new worm.
"Nachi just happens to exploit the same vulnerability. It's a totally different worm with a totally different code base," Ingevaldson said.
For instance, the worm contains more advanced scanning logic, including a list of 16 hard-coded Chinese and Asian networks to infect. The worm is also programmed to scan up to 300 different IP addresses at the same time to look for other machines to infect.
Importantly, the worm also appears to be infecting some systems via a previously disclosed buffer overflow vulnerability that can be accessed via Microsoft's WebDav, which is a component of Internet Information Server (IIS) that allows users to add and manage content on a Web server remotely, according to Ingevaldson. The flaw, disclosed in March, affects Windows 2000 systems running IIS 5.0. As a result, users of such systems need to be patched against the flaw with MS03-007, Ingevaldson said. Users can also protect themselves by disabling WebDav functionality on IIS, he added.
According to Ingevaldson, the worm looks as though it has been designed to target computers in Asia more than those in North America, based on the hard-coded IP addressed contained in the worm.
"I guess the person who designed this figured he was doing everybody a favor," by unleashing a worm to download a patch against Blaster, he added. The new worm is programmed to disable itself Jan. 1, 2004, Ingevaldson said.
Variant of Sobig on the loose
Meanwhile, a new version of the Sobig virus is rapidly spreading on the Internet, antivirus companies said.
The worm basically sends itself as an e-mail attachment to addresses collected from a victim's computer. The worm forges the sender's e-mail address, making it "difficult to know who is truly infected," according to an alert on antivirus software vendor Sophos PLC's Web site.
The e-mail appears with subject headers such as "Re: That movie," "Re: Wicked screensaver," and "Re: Details." The attached file is chosen from a list that includes "movieoo45.pif," "wicked_scr.scr" and "your-document.pif," according to Sophos.
The Sobig variant takes advantage of the Network Time Protocol that's used by servers to synchronize times to determine when it should stop propagating itself, according to Sophos. If the date is Sept. 10, 2003, or later, the worm will no longer propagate.