A new worm appeared today that exploits the RPC-DCOM vulnerability and tries to repair the flaw to protect against future infections.
The new worm, which is being called different names by antivirus companies, tries to eliminate the Blaster worm by targeting the dllhost.exe executable associated with it. It also downloads Microsoft patch MS03-026 and tries to fix the RPC-DCOM flaw. There are conflicting reports as to whether it's a variant of Blaster or a new worm altogether. Blaster appeared a week ago and was the first worm to exploit the critical Windows vulnerability.
As of noon EST, researchers at several antivirus companies were working to determine the worm's characteristics. Each antivirus company had its own name for the worm. McAfee is calling it Nachi, Symantec has labeled it Welchia while Trend Micro was calling it MSBlast-D. All have labeled it a medium risk.
"There is still some debate within the antivirus community over whether it's a variant of Blaster," said Craig Schmugar, a virus research engineer with McAfee. "But we think the code is different enough [to not call it a Blaster variant]."
The new worm appears to use the same exploit code as Blaster, Schmugar said. When infecting systems, it copies itself to a Windows directory and then tries to infect vulnerable systems on the network.
The worm then kills the msblast.exe process, which is dropped by Blaster, and deletes that file. It then detects which version of Windows is running and downloads the appropriate patch.
Some people may champion such a benevolent worm as a Godsend given all the systems infected by Blaster, but antivirus researchers aren't so sure. "A kid could have written it to say 'Microsoft couldn't get the patch out but I could. Ha ha ha'," said David Perry, Trend Micro Inc.'s global director of education. "But the writer could have more nefarious purposes. We just don't know."
While on the surface, such a worm may be helpful, there is no guarantee that it won't cause system damage. "The vast majority of damage caused by viruses are from bugs in them," Perry said. "Maybe [the author of the new worm] is a competent programmer, but we can't tell."
Schmugar echoed those sentiments. "It does some other suspicious things. We are still examining it," he said.
The worm is likely to be responsible for a spike in Internet Control Message Protocol (ICMP) traffic this morning. The Internet Storm Center operated by the SANS Institute noted a "remarkable increase" in ICMP traffic. ICMP is a protocol used for message control and error-reporting.
Experts continue to warn users to patch their systems for the RPC vulnerability, which affects multiple versions of Windows, despite the decline in the spread of Blaster-A. The worm, which first appeared last Monday, was also called MSBlast and Lovsan.
FOR MORE INFORMATION: