Last week it was the MSBlaster or LoveSan virus and this week the Sobig, Dumaru and Welchia viruses struck, leaving many of SA`s corporates scrambling to action stations as some of their networks were almost rendered inoperable by this latest spate of viruses.
"A common feature of all of these viruses is that they exploit security vulnerabilities in Microsoft`s software," comments Matt Newnham, anti-virus product manager at local company Camsoft Solutions.
There are reports of these viruses wreaking havoc in IT networks across the world as network administrators have battled to keep up with the number of security holes in the Windows software on their PCs that have needed plugging.
Only last year security experts warned that the ongoing exposure of security holes in software such as Microsoft`s Windows operating systems would lead to an increase in the number of viruses and hack attempts occurring and that this problem was unlikely to go away for as long as there are individuals wanting to discredit successful organisations such as Microsoft.
Unfortunately the response to these security breeches has been after the fact which is like closing the door after the horse has bolted and it is anticipated that this will continue to be the case in the future as it appears that the collective efforts of an organisation the size of Microsoft have not been sufficient to solve this problem.
The Welchia virus is similar to the MSBlaster/LoveSan virus in that it uses the same vulnerability in Microsoft`s software, namely the Remote Procedure Call (RPC) in Windows 2000 and XP which allows for file sharing. However, this particular virus actually attempts to remove the MSBlaster virus after which it then tries to apply Microsoft`s security patch for the RPC hole.
"Although we have witnessed anti-virus viruses before, this is the first of its kind to actually attempt to fix a system`s software by applying Microsoft`s security patch," comments Camsoft`s Newnham.
The Welchia virus is not an e-mail virus and does not send out e-mails on infected machines but enters a vulnerable PC directly via the Internet through a connection on Port 135. Therefore the user does not actually witness anything. The virus also doesn`t have any immediately obvious tell-tale signs that it is present except that the infected system is likely to become unstable due to the fact that the virus is likely to have corrupted files in the process of trying to remove the MSBlaster virus and applying Microsoft`s security patch.
The Welchia virus also automatically removes itself from an infected system on 1 January 2004, and it this feature of the virus that can be used to remove it. By setting the clock date of an infected PC forward to any date in 2004, rebooting the PC and then resetting the date back to the current day`s date will remove the virus.
"Anti-virus software alone has proven itself to be insufficient in combating this new breed of viruses because the anti-virus software detects viruses based on a signature file that has been written to identify the virus," says Newnham.
"What is needed in addition to anti-virus software is a personal (for SOHO users) or distributed firewall (for networked users). The Welchia virus, for example, manages to get behind corporate firewalls just like the MSBlaster virus via external Internet connections made from behind the firewall. Anti-virus vendors such as F-Secure and eScan provide the option to have a personal or distributed firewall as part of their anti-virus product offerings and these firewalls, which are installed locally on a PC, can prevent viruses such as MSBlaster and Welchia from entering the PC in the first case," adds Newnham.
Share
Editorial contacts