Only days after virus watchers warned of a rapidly spreading new Internet worm taking advantage of a security hole in the Microsoft Windows operating system, a variant of the Blaster worm has been reported.
The worm, also dubbed LoveSan or MSBlaster, emerged in the US on Monday, crashing systems and spreading to tens of thousands of vulnerable computers.
It exploits the RPC Buffer Overrun vulnerability within unpatched Microsoft Windows NT, Windows 2000, Windows XP and Microsoft Windows server 2003 operating systems.
Once it gets onto a vulnerable computer, the program downloads code from a previously infected machine that enables it to propagate itself. The machines then scan the Internet for other vulnerable machines and attack them, downloading .exe files using the Trivial File Transfer Protocol.
In some cases, the worm crashes the victim machine, but does not infect it. The worm contains code that includes the phrase: "Billy Gates why do you make this possible? Stop making money and fix your software!!,"
Information security and anti-virus companies say the new modification of the worm is a copycat of the original, with slight changes to its appearance. A new name has been given to the main worm-carrier file (TEEKIDS.EXE instead of MSBLAST.EXE), it has a new method of code compression (FSG instead of UPX), and new "copyright" strings in the body of the worm abusing Microsoft and anti-virus developers.
Global information security company Kaspersky Labs reports that the new discovery means a repeated outbreak could occur on a global scale.
"This is because the two versions exploit the same vulnerability in Windows and may co-exist on the same computer," says Eugene Kaspersky, head of anti-virus research for Kaspersky Labs. "In other words, all computers infected by the original worm will soon be attacked by its revamped version."
Kaspersky says around 300 000 systems have been infected with the worm, and the emergence of a variant implies a doubling of this number.
"In the worst case, the world community can face a global Internet slow-down and regional disruption of access to the Web, just as it happened in January 2003 due to the outbreak of the Slammer worm."
"The original author was successful at infecting hundreds of thousands of computers worldwide," says Steven Sundermeier, VP of products and services at anti-virus company Central Command. "Unfortunately, history has proven that this type of success usually generates a litter of copycat creations."
Related stories:
Fast-spreading worm exploits MS hole
Share