F-Secure Corporation, a data security company, reported the fourth major computer virus alert within the past 24 hours, making this week the worst week ever for viruses in the history of computing.

The Lovsan (or Blaster) network worm started to spread on Monday, August 11, 2003. The worm spreads in an executable named MSBLAST.EXE to Windows 2000 and Windows XP systems unless recent Windows security patches have been applied. The infection is completely invisible to the end user and the worm will then keep on replicating from every infected machine. Lovsan has already infected hundreds of thousands computers and addition to the first Lovsan three new variants have been found. The latest one, Lovsan.D, was discovered on August 19, 2003.

Welchi (or Nachi) worm was first discovered on August 18, 2003. It uses the same RPC hole to infect machines as Lovsan. However, Welchi also tries to infect web servers running Microsoft IIS 5.0, by exploiting a WebDAV vulnerability found in March 2003.

Welchi is clearly much more advanced than the relatively simple Lovsan worm. When infecting a computer that already has been infected by Lovsan, Welchi kills Lovsan and removes the infection. In addition to this feature, the worm will try to apply the Microsoft patch to close the RPC hole. Welchi is programmed to die on January 1st, 2004. After this date the worm will uninstall and remove itself from infected systems. Biggest side effect of Welchi is that it generates lots of network traffic - enough to cause problems for some routers and switches.

Sobig.F This worm is part of the Sobig family, which was started by Sobig.A in January 2003. Sobig.F, which was discovered on August 19th, is then the fifth variant of this worm. Sobig variants all stop spreading on certain date. When the previous variants expired, the next variant would start spreading. All Sobig versions have spread widely.

Sobig variants typically install backdoors to infected systems. Some of them have been used to send massive amounts of spam.

Lovsan.D is a new variant of the Lovsan worm, with modified attachment name. Instead of msblast.exe the attachment is now named mspatch.exe.

Dumaru was found on August 19th and it exploits the fuss caused by the Lovsan worm. Dumaru will send an email message spoofed to be from support@microsoft.com. According to the body text the attached PATCH.EXE file will fix the vulnerability. If this attachment is opened, the machine will be infected. Dumaru also installs a backdoor through which the virus writer can remotely control the machine.

Detailed technical descriptions and screenshots of all four of these worms as well as are available in the F-Secure Virus Description Database at:
http://www.f-secure.com/v-descs/sobig_f.shtml
http://www.f-secure.com/v-descs/welchi.shtml
http://www.f-secure.com/v-descs/msblast.shtml
http://www.f-secure.com/v-descs/dumaro.shtml
http://www.f-secure.com/v-descs/lovsand.shtml

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access