• United States
Senior Editor, Network World

Worm outbreaks saturate networks

Aug 25, 20034 mins

Last week went down as one of the worst computer security weeks ever, as a spate of new worms crippled corporate and government networks that rely on Microsoft software.

The attacks, which came a week after the damaging Blaster (or LovSan) worm struck, included a variant on that intruder and with another worm designed to save users from Blaster but instead wound up clogging networks (see graphic).

Meanwhile, a spinoff of the SoBig mass-mailer worm, tricked victims into opening attachments to so that it could grab their Outlook address book to mail itself again. VeriSign reported that SoBigF, programmed to send mail traffic through one of the company’s root DNS servers, caused a 20-fold spike in traffic between Tuesday and Wednesday. (Security watchers warned Friday, just before press time, that SoBig.F carries a Trojan it might use to attack an unknown target later that day.)

Among those networks feeling the pain last week was the Navy Marine Corps Intranet (NMCI), used by about 100,000 personnel. It was saturated for three days with scanning caused by Welchia, a worm with a mission to use Blaster-like techniques to break into computers to disinfect machines hit by Blaster and then patch them. Welchia infected tens of thousands of NMCI computers.

“It was pinging away, trying to grab a patch from Microsoft,” says Capt. Chris Christopher. “The traffic was getting too heavy, and it affected network performance.”

NMCI desktop computers weren’t affected, but network capacity wasn’t restored in large part until last Thursday. The massive cleanup effort involved patching machines for the Microsoft vulnerabilities Welchia exploited, as well as ensuring anti-virus signatures were place.

The NMCI uses Symantec’s anti-virus products, but Symantec didn’t have the signature update for Welchia ready until several hours after it hit, Christopher says.

Blaster hits airline system

Separately, a variant on the Blaster virus affected about half of Air Canada’s phone-reservation system and some airport check-in operations last Tuesday, even causing some flights to be delayed or canceled. CSX, the third largest railroad company in North America, also blamed worms for creating transportation delays.

According to CSX, the worm outbreaks mainly hit its network-supporting applications used for dispatch and signal systems operated by the CSX Transportation division. The network saturation caused CSX to halt passenger and train traffic, including morning commuter service into the Washington, D.C., area.

In light of the new attacks and the Blaster infections, Microsoft has started a fresh dialogue about how it might change its patching strategy, at least when it comes to home computers outfitted with XP (see related story). That operating system has a feature to automatically notify an end user that a software patch is needed and apply it.

A Microsoft spokesman says the company is pondering whether to alter this feature in future releases so that it would work by default. The company says it believes this method would be more effective instead by applying the patch because warnings often are ignored.

Microsoft was looking for feedback on that idea, which it acknowledged could affect the corporate world where XP also is increasingly used.

In terms of the Blaster worm, which was programmed to continuously launch a denial-of-service attack against the Microsoft URL on Aug. 16, the company disabled the targeted link to preserve the main portion of the site. However, that URL won’t be available for the foreseeable future.

As to the question of Dumaru – a worm launched last week that pretended to be from Microsoft but carried a dangerous Trojan as an attachment – Microsoft says it never sends out attachments in any official e-mail in a public mass mailing. 

Under attack

Four new worms and viruses created havoc on computer networks last week.
Virus/worm Description

Variant of LovSan (also known as Blaster, MSBlast, LoveSAN) with an attachment called mspatch.exe instead of msblast.exe. This worm exploits the same Microsoft remote procedure call (RPC) vulnerability; its scanning causes network congestion.

Welchia (also known as Nachi)

Uses RPC hole to infect unpatched machines running Microsoft software by exploiting the WebDAV vulnerability, with the intent of killing Blaster worm infestations and downloading the Microsoft patch. But it causes network congestion through scanning.


Fifth variant of the SoBig.A worm first spotted in January, SoBig.F is a mass mailer that tricks victims into opening attachments, such as “Wicked Screensaver,” then installs a backdoor, while grabbing directory addresses to mail itself to new victims. It clogs mail servers and mailboxes.

Dumaru A mass-mailer worm that fakes its way into a user’s trust as spoofed mail from, but when the attachment is opened, installs a backdoor that lets the virus writer control the machine.