New Windows worm starts to spread

Security experts have issued a warning about the first self-propagating worm to take advantage of a widespread vulnerability...

Security experts have issued a warning about the first self-propagating worm to take advantage of a widespread vulnerability reported last month in Microsoft's Windows operating systems.

Known by various names, including Blaster and Lovesan, the worm has begun to infect computers at homes and businesses. Experts said it could clog the internet with traffic and allow a malicious hacker to steal or corrupt data stored in an infected system.

Microsoft acknowledged the vulnerability, a buffer overrun in a Windows interface that handles the RPC (Remote Procedure Call) protocol, in a security bulletin posted on 16 July. Along with government and private security organisations, Microsoft has been urging customers to install a security patch to protect against attack.

The flaw affects several versions of Windows, including Windows NT 4.0, Windows XP and Windows Server 2003, making potential targets of millions of desktop and server computers. Experts have warned of the potential for serious disruption of the internet, although it is unclear how rapidly the worm is spreading.

Security company Trend Micro said it had received reports of infected machines. The worm was observed scanning for vulnerable systems and then sending itself to those machines using port 135.

The worm also will launch a denial-of-service attack against Microsoft's website on 16 August and 31 August, and on every day from 1 September through the end of the year, Trend Micro warned.

Trend Micro gave the worm an overall risk rating of medium but rated the damage and distribution potential as high. Network Associates' McAfee unit also rated the worm "medium on watch" for both home and business users.

Netsolve, a US-based IT services company which provides managed security services to about 1,000 businesses, said the worm was spreading rapidly and had been observed in several of its customers' networks. However, Chuck Adams, the company's chief security officer, said it was too early to say for sure how much damage, and what type of damage, the worm will cause.

"The impact is small right now, but based on analysis on the [exploit] code we've captured, it's going to be a propagation pattern similar to SQL Slammer," he said. Slammer was a widespread worm that affected Microsoft's SQL Server 2000 database earlier this year.

Adams thought the new worm might not have the impact of Slammer because it only exploits one vulnerability where Slammer targeted multiple Windows vulnerabilities.

The most troubling aspect of Buster is that while propagating itself, the worm installs a "back door" program on infected systems and reports back to an internet relay chat server that the system has been compromised, Adams said.

A malicious hacker could use that information to identify a compromised system and then attempt to delete or access data stored on it, he added.

James Niccolai writes for IDG News Service

Read more on IT risk management