MS Blaster Worm - According to Symantec Corp., provider of Internet security software and solutions, Microsoft Windows actually blocks anti-virus software from treating this virus. Since warning customers about the flaw on July 16, Microsoft has posted a free cure, or software "patch," for the virus on its Web site. If you have not applied this patch and are running Windows 2000/3, XP, or NT, you may be vulnerable, regardless of any antivirus (AV) software you may be running!

The MS Blaster worm exploits a critical Remote Procedure Call (RPC) flaw to infect vulnerable Windows machines and is spreading rapidly across the Internet. The MSBlaster worm, also known as Lovesan, Blaster or Poza and which began spreading around 11 Aug 2003, is programmed to also launch an attack against windowsupdate.com on 16 August and around every 14 days thereafter.

Microsoft last month issued a patch to guard against the problem but uptake has been predictably slow, allowing malicious code writers to come up with software that is having a severe effect on many users. Mac, Linux and Unix computers are immune to this Microsoft-specific vulnerability.

According to a preliminary analysis of the worm by F-Secure, the worm spreads in a 6176 byte executable named MSBLAST.EXE (or TEEKIDS.EXE, a variant) to Windows 2000 and Windows XP systems unless recent Windows security patches have been applied. Windows NT 4 and Windows 2003 can also be affected but these systems appear to be playing a lesser role in the spread of the worm, presumably because they are usually business users with higher security procedures than home users.

Unsuccessful propagation attempts may crash vulnerable computers, or render them unstable. Successful worm outbreaks are causing localised network latency ie slowing the internet down.

MSBlaster contains the following text (which is not displayed):

I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!

Security experts have been predicting the arrival of the worm, or something like it, for some weeks. TruSecure, which has been prominent in these warnings, has published an informative advisory on the worm, which gives some indication of its likely spread.

The alert states: "TruSecure does not expect LANs to suffer from denial of service conditions due to this infection, even if it becomes infected. This is because internal infections will only propagate if outbound TFTP requests are allowed. If a source is found it can be blocked at either the firewall or router."

For these reasons, TruSecure "does not expect this to be as bad as Code Red, Nimda or SQL Slammer".