Users scramble for patch as worm causes Windows problems

By PETER GRIFFIN IT writer

Internet providers, antivirus software vendors and internet users are scrambling to plug a security hole that is set to launch a "denial of service" attack on software maker Microsoft.

The so-called MS Blaster worm has spread across the internet in the last 48 hours, exploiting a flaw in a part of Microsoft's Windows software that enables remote control of a user's computer.

New Zealander computer users have received the unwanted worm but not yet in numbers to cause widespread concern.

Ultimately the worm, which is also known as "Billy", "Blaster", and "LoveSan", prowls the internet for computers not equipped with the latest software "patch" from Microsoft. It then downloads the file msblaster.exe to the vulnerable computer, which enables remote control of the machine when it is connected to the internet.

Remote procedure call (RPC) is a genuine element of Windows that allows computers to share files and access printers and scanners from different locations.

The worm generally does not spread via email but by scanning for open computer "ports" which are not protected by firewalls. Microsoft made available a patch for the software exploit in late July, but the spread of the worm shows that computer users have been slow in applying it to their systems.

Yesterday internet provider ihug moved to temporarily close access to "port 135", the prominent route of attack for MS Blaster. Rival Xtra, the country's largest internet provider, hadn't taken that step but was being bombarded with concerned customers ringing its helpdesk staff with queries.

The Government's Centre for Critical Infrastructure Protection, which monitors for threats to communications networks, said most companies with firewall protection could block the worm, "It shouldn't be a huge concern to most organisations [but] if they're communicating between Windows boxes across the internet they should really be doing that through a [private network]," a spokesman for the centre said.

Ultimately the worm aims to amass an army of machines that computer experts suggest may be used to launch a denial of service attack on Microsoft's website www.windowsupdate.com beginning August 16. The website is the first port of call for Windows users updating their software.

In the lead up to the planned attack, "Depending on what level the worm tries to re-propagate itself, there could be traffic surges," the CCIP spokesman added.

Buried within its code the worm delivers a taunt to Microsoft chairman Bill Gates: "billy gates why do you make this possible? Stop making money and fix your software!!"

Computer experts expected the worm to be tweaked so as to become more efficient at spreading. At worse it may replicate the "success" of the Code "Code Red" worm that affected 300,000 computers and caused an estimated $1.2 billion in cleanup costs in July 2001.

Earlier this month the United States. Department of Homeland Security gave two public advisories on the Microsoft software flaw which federal officials said could disrupt as many as 75 percent of all computers linked to the internet Microsoft has also taken the unusual step of contacting all of its partners in the sales channel to ensure they were urging Windows users to download the appropriate patch. Microsoft New Zealand enterprise and partner group director Terry Allen said concerned users can contact Microsoft Services 0800-800-004 for information about applying the patch or for advice on what to do if they are infected.

Microsoft Security