Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

Trend Micro: MSBLAST.D infections primarily in US and Asia

  • 19 August, 2003 15:09

<p>Leading antivirus and content security company, Trend Micro has reported infections of the new Microsoft Blaster, WORM_MSBLAST.D variant (aliases W32/Nachi, Welchia and Blaster.D) have occurred primarily in the United States, China and Singapore.</p>
<p>As of 12:00pm (EST) on Tuesday 19th August Trend Micro has received 430 customer calls globally. MSBLAST.A prompted more than 500 calls globally, and while Trend Micro users have fared better than most, MSBLAST.A is still the 5th fastest spreading worm in Australia according to Trend Micro’s Worldwide Tracking System.</p>
<p>The MSBLAST.D variant was first detected in Asia on Monday night. TrendLabs has received scattered infection reports from Japan, Taiwan, and Singapore.</p>
<p>Mr Joel Montgomery, Trend Micro’s Product Marketing Manager said, the new worm variant attempts to delete the original worm (WORM_MSBLAST.A, a/k/a Blaster, Lovsan) from infected systems and install Microsoft patches to repair the underlying vulnerability that enables both worms to spread.</p>
<p>“We recommend customers adopt an approach encompassing more than just a technology-based response. People, processes and technology need to work in concert to deal with an evolving threat. Dealing with a variant such as MSBLAST.D should require little effort if the outbreak lifecycle process was dealt with effectively when the A variant hit. It exploits the same vulnerability and triggers the same internal response mechanisms,” Mr Montgomery said.</p>
<p>The original MSBlast worm infected hundreds of thousands of computers beginning August 11, and attempted to launch a distributed denial of service attack on Microsoft’s Windows Update Web site on August 16th. However, the worm targeted an incorrect address (http:\\windowsupdate.com) from which Microsoft normally redirected traffic to the service’s correct Web page (http://windowsupdate.microsoft.com).</p>
<p>Trend Micro customers remained relatively unaffected by MSBLAST.A due primarily to the quick dispatch of the Outbreak Prevention Policy which allowed Trend Micro to shut down customers ports dynamically (e.g. Port 4444) to prevent the spread of the infection.</p>
<p>MSBlast.D usually arrives as a file named DLLHOST.EXE, approximately 10,240 bytes in size. (A Windows system file with the same name is only 6 kilobytes in size.) Like the original worm, the variant spreads solely through Internet and LAN traffic by scanning for new hosts.</p>
<p>MSBLAST.A exploits the RPC DCOM buffer overflow security flaw in Windows NT, 2000 and XP, instructing target systems to download a copy of itself from the infected system via TCP Port 707, using a TFTP server program. MSBlast.D also uses a WebDAV exploit to penetrate vulnerable systems, which again enables it to arrange for the downloading of worm code via Port 707 and the TFTP server. The RPC DCOM and WebDAV vulnerabilities were disclosed by Microsoft in July and March 2003, respectively.</p>
<p>TrendLabs’ analysis shows that the worm proceeds to terminate and delete the MSBLAST.EXE file, which is infected by MSBlast.A, on Windows 2000 and XP systems. It next downloads patches to repair the RPC DCOM buffer overflow in Chinese, English and Korean, installing those that match the language on the infected machine, and rebooting the system. (Users of other language versions of Windows go unpatched.)</p>
<p>MSBlast.D will then remain on the system and continue to search for new hosts throughout 2003. When the malware finds that the year is 2004, it automatically eliminates itself from the system by removing the services it had created and deleting itself.</p>
<p>The RPC DCOM vulnerability can allow intruders full access and the ability to execute any code on target machines, leaving them seriously compromised. It affects recent versions of the Windows operating system: Windows.</p>
<p>The pattern file, Outbreak Prevention Policy and System Cleaner are all available to Trend Micro customers now.</p>
<p>Non Trend Micro users with Internet connections can use HouseCall, Trend Micro's free online virus scanner, at http://housecall.trendmicro.com/ The Trend Micro Virus Map displays information about worldwide virus trends based on actual virus infections detected by Trend Micro http://www.trendmicro.com/map/</p>
<p>About Trend Micro</p>
<p>Trend Micro is the world leader in providing centrally controlled server-based virus protection and content-filtering products and services. By protecting information that flows through Internet gateways, email servers and file servers, Trend Micro allows companies and service providers worldwide to stop viruses and other malicious code from a central point before they enter the network. Trend Micro was recently acknowledged as the worldwide leader in server-based antivirus in the IDC report "Antivirus Software 2002: A segmentation of the market". For more information visit www.trendmicro.com.au
###</p>

Most Popular