The activity began last Monday when a predicted attack on
computers vulnerable through a flaw in Microsoft's Windows
operating system, got underway. LoveSan, also known as MSBlaster,
is estimated to have infected over 570,000 computers, causing the
machines to crash and reboot every few minutes.
The worm was programmed to launch a denial of service attack –
where a server is overloaded to the point of collapse – against
Microsoft's windowsupdate.com web site last Saturday, but the
attack never actually materialised because Microsoft removed the
site.
A variant of Blaster has now emerged. This Welchia worm targets
the same flaw, but patches it, rather than causing crashes. However
this 'good' virus appears to be something of a double agent and
internet security companies have issued warnings against it.
On Tuesday security firm Symantec upgraded the threat level of
the worm from level two to level four.
"Despite its original intent, the W32.Welchia.Worm is an
insidious worm that is preventing IT administrators from cleaning
up after the W32.Blaster.Worm," said Vincent Weafer, senior
director, Symantec Security Response. "The worm is swamping network
systems with traffic and causing denial-of-service to critical
servers within organizations."
Microsoft systems are also the target of a hoax e-mail,
purportedly from Microsoft, that offers an updated patch for
MSBlaster, which actually contains a Trojan horse.
This is a program that is installed onto a computer without the
owner's knowledge, usually by deceiving the owner about what he or
she is getting when opening an e-mail attachment or downloading a
file from the internet. Once installed, the Trojan can carry out
malicious acts such as destroying data or downloading material onto
the computer without the user's knowledge.
IT managers are also battling a new variant of the SoBig virus.
This, unlike the Blaster virus, propagates through e-mail, and
takes the form of a mass e-mailing from an infected machine. The
virus is contained in a .pif or .scr file attached to the
e-mail.
To add to the difficulties, many users whose machines have been
infected are finding themselves receiving auto-responses accusing
them of trying to spread the SoBig virus. These are sent by gateway
applications programmed into some computers. Gateway applications
scan incoming e-mails, block those containing a virus, and often
send an e-mail back to the sender of the viral e-mail – who is
usually an innocent party.
Anti-virus firm Sophos recommends "that users do not respond to
e-mails from auto-responders accusing them of being infected and
spreading the Sobig-F worm. However, they should consider
double-checking their computers for the latest viruses just in case
they are genuinely infected".
