Blaster worm starts European campaign

The long-predicted worm which uses a flaw present in all Microsoft operating systems has already spread to Europe.

The Blaster worm, also know as Lovesan, MSBlaster or Poza, attacks via a flaw for which a patch has been available since 16 July.

And, after 15 August, infected computers will be used to launch a denial of service attack against windowsupdate.com, where the patch for the vulnerability can be found.

Infections have already spread in the US and cases started appearing in Europe as the working day started.

"The lion's share of infections are in the US. Now people are waking up we've got infections popping up all over Europe," said David Emm from Network Associates Avert labs.

"We're keeping an eye on it but at present it doesn't look like it's going to be as much of a problem as Slammer. Administrators must still patch their systems as a matter of urgency."

The worm is spread automatically by sending itself via TCP port 135 to random IP addresses, generating large amounts of network traffic.

Once it finds and infects a system it copies itself onto the registry and sets up a shell using TCP port 4444, which downloads a program, msblast.exe, before sending itself out again.

The worm code also contains a message for Microsoft chairman Bill Gates, hidden in the code: "I just want to say LOVE YOU SAN!! billy gates why do you make this possible? Stop making money and fix your software!!"

The worm is particularly worrying since it can be used against both servers and client PCs.

"This puts the future of Windows at threat," said Gary Jones, services manager at MIS Corporate Defence Solutions.

"People underestimate how vicious this exploit code is. A single line of code gives the hacker system-level privileges.

"If someone writes an email worm this is going to spread like wildfire; it affects clients and servers and runs on 90 per cent of the world's PCs."

The critical flaw is in Microsoft's Distributed Component Object Model Remote Procedure Call (RPC) interface.

The vulnerability involves the RPC protocol, which deals with inter-computer communications. Microsoft warned that, under certain circumstances, the RPC might not properly check messages sent to the PC.

The patch is available here, and the major antivirus web sites also have free removal utilities available.