The Blaster worm is still spreading in the wild, though experts agree that charting its progress and traction involves more than a little guesswork.
Some antivirus companies track the progress by the number of support calls on the worm that they have received. For example, three out of four calls to antivirus vendor Sophos PLC have been about Blaster. Symantec Security Response estimates that at least 124,000 computers were infected by the worm, and some experts have seen their personal systems scanned every second for port 135, which the worm targets.
"It's hard to say [how widespread it is]," said Graham Cluley, senior technology consultant at Sophos. "With e-mail worms, you can just count the number of e-mails with it. There are no e-mails to count with this worm."
As a network worm, Blaster doesn't exhibit what most people consider worm-like activity. Such worms, like last January's SQL Slammer worm, can travel without human interaction. A system can be infected by Blaster if it has an RPC port open, a vulnerable version of Windows running and an Internet connection. The vulnerability lies in how RPC, which lets heterogeneous computers communicate with one another, is implemented in Windows.
"You have to be really geeky or techie to realize you have been infected by a worm," Cluley said. "Most people would recognize it as just general computer problems such as their system is running slow."
Often, mass-mailer worms rely on seductive or catchy subject lines to entice recipients into double-clicking on the attached worm. As a result, those worms tend to be more localized. "There is no language barrier with this worm [Blaster]. It can infect a computer in Tibet as easily as one in Boston," Cluley said.
For nearly four weeks a patch has been available to fix the Remote Procedure Call (RPC) flaw in Windows. By most accounts, installing the patch wasn't very difficult. But the sheer pervasiveness of the vulnerability makes Blaster dangerous even if most people patch their systems, because it affects so many flavors of Windows. Windows 2000, XP and NT are all affected. "You have a pool of perhaps 100 million computers that could have the vulnerability," said David Perry, Trend Micro Inc.'s global director of education.
Even if a fraction of those systems do become infected, a distributed denial-of-service attack later this week on Microsoft's patch update page could be damaging because it would hamper users' efforts to fortify their machines. "Especially home users shouldn't wait until the weekend to patch their systems. They need to go home tonight and do it," Cluley said.
Just updating antivirus signature files is not enough. "You may be safe now, but another worm that exploits the vulnerability may come along," Cluley said. Not taking preventative action, he added, is "like leaving a window at your home open to burglars."
FOR MORE INFORMATION: