CUPERTINO, Calif. - August 13, 2003 - Symantec, the world leader in Internet security, today announced that it has seen an initial peak in the number of new W32.Blaster.Worm infections. In fact, Symantec Security Response experts have noted a 30 to 40 percent decrease in infected systems from Monday, August 11 PDT to Tuesday, August 12 as monitored by the Symantec DeepSight Threat Management System.
"The W32.Blaster.Worm, which propagates via the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability, has been spreading worldwide at a much slower rate than CodeRed, Nimda or Slammer," said Alfred Huger, senior director Symantec Security Response. "The potential for infection with W32.Blaster.Worm, however, is much greater than previous worms due to the overwhelming number of machines that are affected by the MS RPC Buffer Overrun vulnerability."
Of the 188,000 hosts infected, the top five countries currently affected are the United States (48 percent), United Kingdom (15 percent), Canada (5 percent), Australia (3 percent) and Ireland (2 percent).
Although the number of new infections is declining, the first variant has also been identified. W32.Blaster.B.worm, a variant of W32.Blaster.worm, differs only in that it renames the executable as Penis.exe. Symantec Security Response has rated this worm as a Level 2 threat. In addition, Symantec has discovered a new Trojan, W32.Randex.E that also takes advantage of the vulnerability. This Trojan allows its creator to control a computer by using Internet Relay Chat (IRC) and is also rated a Level 2.
The Symantec DeepSight Threat Management System, part of Symantec's Early Warning Solutions, tracks security threats and provides quick analysis countermeasures to protect against malicious threats on a global basis. The most extensive data network in the world, the solution gathers data from firewalls and intrusion detection systems (IDS) of more than 20,000 partners in more than 180 countries - offering the most comprehensive view of what is happening on the Internet.
Symantec Security Response encourages network administrators to implement the following:
W32.Blaster.Worm Removal Tool
Symantec Security Response has posted a removal tool for W32.Blaster.Worm. The removal tool is available from: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html.
Symantec Security Solutions
Symantec's full application inspection firewalls protect against W32.Blaster. Worm by default, blocking all vulnerable TCP ports 135, 139, and 445. For Windows-based firewalls, Symantec's unique initial and ongoing system hardening automatically protects the firewall itself from this RPC-based attack. For maximum security, third generation full application inspection technology intelligently blocks tunneling of DCOM traffic over HTTP channels thus providing an extra layer of protection not readily available on most common network filtering firewalls. For protection specifically at the desktop, the firewall technology in Symantec Client Security and Norton Internet Security provide default protection against this threat.
The protocol anomaly detection technology in Symantec ManHunt detects the activity associated with this Microsoft exploit as "Portscan." Customers can also use the signatures that Symantec released on July 25, 2003, which includes the "Microsoft DCOM RPC Buffer Overflow" custom signature to precisely identify the exploit being sent. These signatures were designed to detect the exploitation of the RPC DCOM buffer overflow and are not specific to the W32.MSblaster.Worm. By using these signatures, Symantec ManHunt is able to generically detect the worm attacking/infecting a new host.
Symantec Enterprise Security Manager (ESM) has detected the underlying vulnerability that this worm exploits since July 17,2003 (through LiveUpdate and Web site download). Symantec ESM is an industry-leading security policy compliance solution that enables enterprises to create customized security policies and manage policy compliance in mission critical business applications and servers across a heterogeneous enterprise from a single location.
Symantec's antivirus solutions, such as Symantec AntiVirus Corporate Edition, with current virus definitions automatically protect against W32.Blaster.Worm.
W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability using TCP port 135. This worm attempts to download the msblast.exe file and execute it. The worm also attempts to perform a Denial-of-Service attack on Windows Update. This is an attempt to prevent users from applying a patch on their systems against the DCOM RPC vulnerability. For more information on this worm, or to learn how to delete and scan for infected files, visit the Symantec Security Response Web site at http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html.
Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at www.symantec.com.
NOTE TO EDITORS: : If you would like additional information on Symantec Corporation and its products, please view the Symantec Press Center at http://www.symantec.com/PressCenter/ on Symantec's Web site. All prices noted are in US dollars and are valid only in the United States.
Symantec, the Symantec logo, VERITAS, and the VERITAS logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and certain other countries. Additional company and product names may be trademarks or registered trademarks of the individual companies and are respectfully acknowledged.