Decrease In New W32.Blaster.Worm Infections Seen
Symantec Sees Decrease In New W32.Blaster.Worm Infections
SYMANTEC SEES DECREASE IN NEW W32.BLASTER.WORM INFECTIONS
Systems in the United States, United Kingdom, Canada, Australia and Ireland Most Affected
CUPERTINO, Calif. - Aug. 13, 2003 - Symantec, the world leader in Internet security, today announced that it has seen an initial peak in the number of new W32.Blaster.Worm infections. In fact, Symantec Security Response experts have noted a 30 to 40 percent decrease in infected systems from Monday, August 11 PDT to Tuesday, August 12 as monitored by the Symantec DeepSight Threat Management System.
"The W32.Blaster.Worm, which propagates via the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability, has been spreading worldwide at a much slower rate than CodeRed, Nimda or Slammer," said Alfred Huger, senior director Symantec Security Response.
"The potential for infection with W32.Blaster.Worm, however, is much greater than previous worms due to the overwhelming number of machines that are affected by the MS RPC Buffer Overrun vulnerability."
Of the 188,000 hosts infected, the top five countries currently affected are the United States (48 percent), United Kingdom (15 percent), Canada (5 percent), Australia (3 percent) and Ireland (2 percent).
Although the number of new infections is declining, two variants have been identified. W32.Blaster.B.worm and W32.Blaster.C.worm, variants of W32.Blaster.worm, differ only in that they rename the executable to Penis.exe, and Teekids.exe respectively. Symantec Security Response has rated these variants as Level 2 threats. In addition, Symantec has discovered a new Trojan, W32.Randex.E that also takes advantage of the vulnerability. This Trojan allows its creator to control a computer by using Internet Relay Chat (IRC) and is also rated a Level 2.
The Symantec DeepSight Threat Management System, part of Symantec's Early Warning Solutions, tracks security threats and provides quick analysis countermeasures to protect against malicious threats on a global basis. The most extensive data network in the world, the solution gathers data from firewalls and intrusion detection systems (IDS) of more than 20,000 partners in more than 180 countries - offering the most comprehensive view of what is happening on the Internet.
Symantec Security Response encourages network administrators to implement the following:
* Ensure that all available patches and feasible mitigating strategies provided in Microsoft Security Bulletin MS03-026 have been applied. The patch is available at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS03-026.asp
* Ensure that the following ports are filtered at the network perimeter and between all untrusted network segments: udp/135, udp/137, udp/138, tcp/135, tcp/445 and tcp/593.
Symantec Security Response encourages home users to immediately install the latest patch from Microsoft and update their virus definitions to protect against W32.Blaster.Worm.
W32.Blaster.Worm Removal Tool Symantec Security Response has posted a removal tool for W32.Blaster.Worm. The removal tool is available from: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.rem oval.tool.html.
Symantec Security Solutions Symantec's full application inspection firewalls protect against W32.Blaster. Worm by default, blocking all vulnerable TCP ports 135, 139, and 445. For Windows-based firewalls, Symantec's unique initial and ongoing system hardening automatically protects the firewall itself from this RPC-based attack. For maximum security, third generation full application inspection technology intelligently blocks tunneling of DCOM traffic over HTTP channels thus providing an extra layer of protection not readily available on most common network filtering firewalls. For protection specifically at the desktop, the firewall technology in Symantec Client Security and Norton Internet Security provide default protection against this threat.
The protocol anomaly detection technology in Symantec ManHunt detects the activity associated with this Microsoft exploit as "Portscan." Customers can also use the signatures that Symantec released on July 25, 2003, which includes the "Microsoft DCOM RPC Buffer Overflow" custom signature to precisely identify the exploit being sent. These signatures were designed to detect the exploitation of the RPC DCOM buffer overflow and are not specific to the W32.MSblaster.Worm. By using these signatures, Symantec ManHunt is able to generically detect the worm attacking/infecting a new host.
Symantec Enterprise Security Manager (ESM) has detected the underlying vulnerability that this worm exploits since July 17,2003 (through LiveUpdate and Web site download). Symantec ESM is an industry-leading security policy compliance solution that enables enterprises to create customized security policies and manage policy compliance in mission critical business applications and servers across a heterogeneous enterprise from a single location.
Symantec's antivirus solutions, such as Symantec AntiVirus Corporate Edition, with current virus definitions automatically protect against W32.Blaster.Worm.
Worm W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability using TCP port 135. This worm attempts to download the msblast.exe file and execute it. The worm also attempts to perform a Denial-of-Service attack on Windows Update. This is an attempt to prevent users from applying a patch on their systems against the DCOM RPC vulnerability. For more information on this worm, or to learn how to delete and scan for infected files, visit the Symantec Security Response Web site at
Symantec, the world leader in Internet security technology, provides a broad range of content and network security software and appliance solutions to enterprises, individuals and service providers. The company is a leading provider of client, gateway and server security solutions for virus protection, firewall and virtual private network, vulnerability management, intrusion detection, Internet content and email filtering and remote management technologies as well as security services to enterprises and service providers around the world. Symantec's Norton brand of consumer security products is a leader in worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide operations in 36 countries. For more information, please visit www.symantec.com .
### NOTE TO EDITORS: : If you would
like additional information on Symantec Corporation and its
products, please view the Symantec Press Center at