Video | Business Headlines | Internet | Science | Scientific Ethics | Technology | Search


Decrease In New W32.Blaster.Worm Infections Seen

Symantec Sees Decrease In New W32.Blaster.Worm Infections


Systems in the United States, United Kingdom, Canada, Australia and Ireland Most Affected

CUPERTINO, Calif. - Aug. 13, 2003 - Symantec, the world leader in Internet security, today announced that it has seen an initial peak in the number of new W32.Blaster.Worm infections. In fact, Symantec Security Response experts have noted a 30 to 40 percent decrease in infected systems from Monday, August 11 PDT to Tuesday, August 12 as monitored by the Symantec DeepSight Threat Management System.

"The W32.Blaster.Worm, which propagates via the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability, has been spreading worldwide at a much slower rate than CodeRed, Nimda or Slammer," said Alfred Huger, senior director Symantec Security Response.

"The potential for infection with W32.Blaster.Worm, however, is much greater than previous worms due to the overwhelming number of machines that are affected by the MS RPC Buffer Overrun vulnerability."

Of the 188,000 hosts infected, the top five countries currently affected are the United States (48 percent), United Kingdom (15 percent), Canada (5 percent), Australia (3 percent) and Ireland (2 percent).

Although the number of new infections is declining, two variants have been identified. W32.Blaster.B.worm and W32.Blaster.C.worm, variants of W32.Blaster.worm, differ only in that they rename the executable to Penis.exe, and Teekids.exe respectively. Symantec Security Response has rated these variants as Level 2 threats. In addition, Symantec has discovered a new Trojan, W32.Randex.E that also takes advantage of the vulnerability. This Trojan allows its creator to control a computer by using Internet Relay Chat (IRC) and is also rated a Level 2.

The Symantec DeepSight Threat Management System, part of Symantec's Early Warning Solutions, tracks security threats and provides quick analysis countermeasures to protect against malicious threats on a global basis. The most extensive data network in the world, the solution gathers data from firewalls and intrusion detection systems (IDS) of more than 20,000 partners in more than 180 countries - offering the most comprehensive view of what is happening on the Internet.

Symantec Security Response encourages network administrators to implement the following:

* Ensure that all available patches and feasible mitigating strategies provided in Microsoft Security Bulletin MS03-026 have been applied. The patch is available at bulletin/MS03-026.asp

* Ensure that the following ports are filtered at the network perimeter and between all untrusted network segments: udp/135, udp/137, udp/138, tcp/135, tcp/445 and tcp/593.

Symantec Security Response encourages home users to immediately install the latest patch from Microsoft and update their virus definitions to protect against W32.Blaster.Worm.

W32.Blaster.Worm Removal Tool Symantec Security Response has posted a removal tool for W32.Blaster.Worm. The removal tool is available from: oval.tool.html.

Symantec Security Solutions Symantec's full application inspection firewalls protect against W32.Blaster. Worm by default, blocking all vulnerable TCP ports 135, 139, and 445. For Windows-based firewalls, Symantec's unique initial and ongoing system hardening automatically protects the firewall itself from this RPC-based attack. For maximum security, third generation full application inspection technology intelligently blocks tunneling of DCOM traffic over HTTP channels thus providing an extra layer of protection not readily available on most common network filtering firewalls. For protection specifically at the desktop, the firewall technology in Symantec Client Security and Norton Internet Security provide default protection against this threat.

The protocol anomaly detection technology in Symantec ManHunt detects the activity associated with this Microsoft exploit as "Portscan." Customers can also use the signatures that Symantec released on July 25, 2003, which includes the "Microsoft DCOM RPC Buffer Overflow" custom signature to precisely identify the exploit being sent. These signatures were designed to detect the exploitation of the RPC DCOM buffer overflow and are not specific to the W32.MSblaster.Worm. By using these signatures, Symantec ManHunt is able to generically detect the worm attacking/infecting a new host.

Symantec Enterprise Security Manager (ESM) has detected the underlying vulnerability that this worm exploits since July 17,2003 (through LiveUpdate and Web site download). Symantec ESM is an industry-leading security policy compliance solution that enables enterprises to create customized security policies and manage policy compliance in mission critical business applications and servers across a heterogeneous enterprise from a single location.

Symantec's antivirus solutions, such as Symantec AntiVirus Corporate Edition, with current virus definitions automatically protect against W32.Blaster.Worm.

About W32.Blaster.

Worm W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability using TCP port 135. This worm attempts to download the msblast.exe file and execute it. The worm also attempts to perform a Denial-of-Service attack on Windows Update. This is an attempt to prevent users from applying a patch on their systems against the DCOM RPC vulnerability. For more information on this worm, or to learn how to delete and scan for infected files, visit the Symantec Security Response Web site at

About Symantec

Symantec, the world leader in Internet security technology, provides a broad range of content and network security software and appliance solutions to enterprises, individuals and service providers. The company is a leading provider of client, gateway and server security solutions for virus protection, firewall and virtual private network, vulnerability management, intrusion detection, Internet content and email filtering and remote management technologies as well as security services to enterprises and service providers around the world. Symantec's Norton brand of consumer security products is a leader in worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide operations in 36 countries. For more information, please visit .

### NOTE TO EDITORS: : If you would like additional information on Symantec Corporation and its products, please view the Symantec Press Center at on Symantec's Web site. All prices noted are in US dollars and are valid only in the United States. Symantec and the Symantec logo are trademarks or registered trademarks, in the United States and certain other countries, of Symantec Corporation. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.


© Scoop Media

Business Headlines | Sci-Tech Headlines


Watch This Space: Mahia Rocket Lab Launch Site Officially Opened

Economic Development Minster Steven Joyce today opened New Zealand’s first orbital launch site, Rocket Lab Launch Complex 1, on the Mahia Peninsula on the North Island’s east coast. More>>


Marketing Rocks!
Ig Nobel Award Winners Assess The Personality Of Rocks

A Massey University marketing lecturer has received the 2016 Ig Nobel Prize for economics for a research project that asked university students to describe the “brand personalities” of three rocks. More>>


Nurofen Promotion: Reckitt Benckiser To Plead Guilty To Misleading Ads

Reckitt Benckiser (New Zealand) intends to plead guilty to charges of misleading consumers over the way it promoted a range of Nurofen products, the Commerce Commission says. More>>


Half A Billion Accounts, Including Xtra: Yahoo Confirms Huge Data Breach

The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and, in some cases, encrypted or unencrypted security questions and answers. More>>


Rural Branches: Westpac To Close 19 Branches, ANZ Looks At 7

Westpac confirms it will close nineteen branches across the country; ANZ closes its Ngaruawahia branch and is consulting on plans to close six more branches; The bank workers union says many of its members are nervous about their futures and asking ... More>>

Interest Rates: RBNZ's Wheeler Keeps OCR At 2%

Reserve Bank governor Graeme Wheeler kept the official cash rate at 2 percent and said more easing will be needed to get inflation back within the target band. More>>


Get More From Scoop

Search Scoop  
Powered by Vodafone
NZ independent news