While the second wave of an Internet attack by the “MSBlaster” worm barely caused a ripple over the weekend, over a half million computers were still infected by the malicious program on Monday. Meanwhile, a new “good Samaritan” version of the worm was released. Dubbed “Welchia,” this worm actually deletes MSBlaster and attempts to install the proper security patch on vulnerable machines.
MSBLASTER HAD been designed to attack a Microsoft Web site during the weekend. But the firm had plenty of time to prepare, and the attack essentially was a dud. Microsoft said it had no major problems from the worm’s attempt to turn thousands of infected computers into instruments targeting the software company’s Web site and network.
(MSNBC is a Microsoft-NBC joint venture.)
Microsoft did not notice any extraordinary network congestion, company spokesman Sean Sundwall said over the weekend. There were also no reports of customers having major problems accessing the targeted Web site.
Still, he urged people to take precautions to protect their computers. And the worm remains more than a nuisance. According to Symantec Corp, 530,000 computers are currently infected with MSBlaster and actively attempting to infect other machines on the Internet. There are about 2,000 to 3,000 new infections every hour, said Alfred Huger, senior director of engineering at Symantec Corp.
EXPERTS WARY OF ‘GOOD SAMARITAN’ Since the worm’s release last week, there have already been four variants, or slightly altered version of the program designed to evade antivirus software. The “good” program, Welchia, is not really a variant, Huger said. But it is quite similar to MSBlaster, since it uses the same critical Windows vulnerability to spread.
Welchia apparently is designed to install the appropriate patch to unsecured computers. Antivirus experts bristle at such a “good Samaritan” program, however, since it might have unintended consequences.
“It can cause all sorts of problems when patches are applied to a computer, unbeknownst to the administrator of that computer,” said Ken Dunham, spokesman for iDEFENSE Inc. His analysis of the new worm indicates it might leave a back door on computers it has apparently cleaned, he said.
Network Associates Inc. rates the new worm a medium risk; several high-profile clients have been hit with it, said spokesman Craig Schmugar.
“We’re seeing some reports of people who said, ‘We are patched but we’re getting infected,’ ” said Schmuger. “But the truth is they never rebooted their system, so the patch wasn’t fully installed. Some people think they protected but they are not.”
ATTACKED THE WRONG SITE
The original MSBlaster infection exploits a flaw in most current versions of Microsoft’s Windows operating system for personal computers, laptops and server computers. Although Microsoft posted a software patch to fix the flaw July 16, many users failed to download it, leaving them vulnerable.
The infection caused computers to reboot frequently or disrupted users’ browsing on the Internet. But it also packed a second punch.
Computer experts said starting at 12:01 a.m. local time Saturday, infected computers that have not cleaned up the virus would in effect turn into a legion of zombies instructed to repeatedly call up a Microsoft Web site that houses the software patch. If enough traffic flooded the network, the site could be rendered unreachable and computer users would be unable to access the patch.
But the exploiters of the Microsoft flaw made a mistake themselves. The worm instructed computers to call up http://windowsupdate.com — which is an incorrect address for reaching the actual Microsoft Web site that houses the software patch. Although Microsoft has long redirected those who visited that incorrect address to the real site — http://windowsupdate.microsoft.com — the company disabled the automatic redirection Thursday in preparation for the onslaught of infected computers.
That helped Microsoft’s real Web site stay accessible to users, Sundwall said. The company also took other measures to keep its site up and running, he said. He declined to give specifics.
The worm also left behind a love note on vulnerable computers: “I just want to say LOVE YOU SAN!” It also carried a hidden message to taunt Microsoft’s chairman: “billy gates why do you make this possible? Stop making money and fix your software!”
The Associated Press contributed to this report.