Feared RPC worm starts to spread

Security experts on Monday warned of the first self-propagating virus to take advantage of a widespread vulnerability reported last month in Microsoft Corp.'s Windows operating systems.

Known by various names, including Blaster and Lovesan, the worm virus has begun to infect computers at homes and businesses and could clog the Internet with traffic and allow a malicious hacker to steal or corrupt data stored in an infected system, experts said.

The vulnerability, a buffer overrun in a Windows interface that handles the RPC (Remote Procedure Call) protocol, was acknowledged by Microsoft in a security bulletin posted July 16. Along with government and private security organizations, Microsoft has been urging customers to install a security patch in order to protect against attack.

The flaw affects several versions of Windows, including Windows NT 4.0, Windows XP and Windows Server 2003, making potential targets of millions of desktop and server computers. Experts have warned of the potential for serious disruption of the Internet, although it wasn't immediately clear Monday how rapidly the worm was spreading.

Security vendor Trend Micro Inc. said it had received reports of several infected machines Monday. The worm was observed scanning for vulnerable systems and then sending itself to those machines using port 135, the company said. The worm also will launch a denial of service attack against Microsoft's windowsupdate.com Web site on Aug. 16 and Aug. 31, and on every day from Sept. 1 through the end of the year, Trend Micro said.

Trend Micro gave the worm an overall risk rating of medium but rated the damage and distribution potential as high. Network Associates Inc.'s McAfee unit also rated the worm "medium on watch" for both home and business users.

Daniel Zatz, senior security consultant from Computer Associates in Sydney said the worm was unique in that it was targetting the operating system and not an application. Where most worms come to users via attachments in e-mail, this one is coming from the RPC exploit. As a result, those consumers who have not updated their antivirus signatures on their PCs "are not going to know they have been affected", he said.

Netsolve Inc., an IT services company in Austin, Texas, that provides managed security services to about 1,000 businesses, said the worm was spreading rapidly and had been observed in several of its customers' networks Monday afternoon. However, Chuck Adams, the company's chief security officer, said it was too early to say for sure how much damage, and what type of damage, the worm will cause.

"The impact is pretty small right now, but based on the analysis we've done on the (exploit) code we've captured, it's going to be a propagation pattern similar to SQL Slammer," he said, referring to a widespread worm that affected Microsoft's SQL Server 2000 database earlier this year.

However, based on Netsolve's early observations, Blaster isn't likely to spread as widely as SQL Slammer, Adams predicted.

"I don't think it will be as large because there are some limitations" to Blaster, he said. For example, SQL Slammer tried to take advantage of multiple Windows vulnerabilities, while Blaster appears to exploit only one, he said.

According to Zatz, Computer Associates has already had some of its Australian customers affected since fist detecting the worm at about 7am AEST. "It is still early days," he said.

The most troubling aspect of Blaster is that as well as propagating itself, the worm installs a "back door" program on infected systems and reports back to an Internet relay chat server that the system has been compromised, Adams said. A malicious hacker could use that information to identify a compromised system and then attempt to delete or access data stored on it, he said.

(Howard Dahdah contributed to this report.)

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

James Niccolai

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?