Worm War of 2003

Worm War of 2003

Most common computer users were surprised to find that a new virus had hit the internet last week. Although most computer security experts are always on guard for a new virus this one was hard to detect. This virus is named MS Blaster or RPC DCOM Worm and like its name it is special. The vulnerability code allowing it to disable computers was released several weeks before the actual virus was released stumping security experts worldwide. (Pchelp)

With most viruses computers that had been patched by the users are unaffected but MS Blaster had other plans. It flooded patched computers with so many packets that they were crashing from the load. Even those that had firewalls were crashing from the excessive load. This is the first virus of its kind to infect computers in this way. MS Blaster would contact a computer via port 135, determine if the computer was vulnerable, lock on to the computer, and then transfer the payload to the new computer. (Worm_Msblast.A) The newly infected computer would then begin this process again by transmitting the virus to other computers. The only shortcoming to the effectiveness of this virus was that it would crash a computer every 60 seconds after startup making if difficult for the virus to spread quickly. (Nt canuck) If this bug had not been present ML Blaster would have turned into an epidemic in a matter of days. This new computer dilemma has been compared to former viruses of fame such as Melissa, Code Red, and Slammer. Like Code Red it infected certain types of machines while crashing others. (Code Red) Like Slammer it infected its electronic victims via a port on the machine. (Slammer) Like Melissa it was so overrated by the time it hit the internet that no one realized how badly the virus had actually been written. (Melissa) Its main aim was Microsoft which was similar to Code Red’s reason for existence. Unlike any other virus to date this one gave computer users fair warning. This was the first virus to receive advisory warnings from the federal government to block a port. (Hal) These advisories brought ML Blaster more attention than any other virus in a short period of time.

A few days after ML Blaster hit another virus writer broke up the party by writing an anti-virus named Nachi. Nachis’ purpose was to infect a vulnerable system in the same way that ML Blaster did. It then removed the unwanted virus and began a Windows update that automatically installed the Microsoft patch for the system. The blocked port prevented the computer from being infected again. Nachi had the unique ability to delete itself on January 24, 2004. This makes a nice weapon for defeating the virus and all of its counterparts making the net a safer place. (Nachi) Hopefully the programmer who created Nachi will continue on this path to success and not leave the net to fend for itself.

ML Blaster was claimed by a Chinese group called X-Force. (Mgwmp) This group should not be confused with the US force which is designed to protect citizens from all types of on-line attacks and violations of privacy policies. Unfortunately the US Force was not on their toes at the time of this attack. Several newsgroups sprang to attention when this virus became public knowledge. Millions of IP addresses were logged and many e-mails were sent to Internet Service Providers warning that a lack of action would result in serious circumstances. The FCC was empowered to shut down anyone refusing to block port 135. Many ISP’s claimed to have blocked the port but neglected to do so. They merely blocked it at the boarder of the network. This action would have been enough if some users had not already been infected but under the circumstances it was too little and too late. (Pchelp)
Although many major anti-virus programs on the internet have virus definition files that cover ML Blaster and its mutations, Symantec and Trend-Micro were the two leading anti-virus software companies to tackle this problem. Symantec released a program called Sysclean. It used the latest virus definition files to scan for any possible virus that may be on the computer at the time. Trend-Micros program works in a similar way but it is free to the public and can be accessed on-line. The inconvenience with Trend-Micro’s program is that the user has to remain on-line to download the information. If the user has already been infected with the virus this may be an impossible task.

Many internet users considered attacking those with IP addresses that were transmitting ML Blaster. The plan was to hack into the system and delete the virus manually. This is highly possible but it is in direct violation of privacy policies. Internet service providers highly value these policies and contract with their users to agree to comply with them. While stepping in and taking charge was an ethical violation of these policies it seemed unethical not to do it. Often the computers that were infected with the virus had their doors wide open. Another user could have easily walked in, disinfected the computer, and left a note of explanation. Some technicians were opposed to this idea because it could cause a flood of unethical violations. The problem could have been remedied by contacting the user of the infected computer, explaining the situation, asking for their permission to remove the virus, and then remotely removing the virus. Other technicians remained opposed to this idea because the did not think “remote access” was an answer to any problem. (Hal) Net chatter produced a variety of ideas to rid users of the ML Blaster threat but in the end only the anti-virus software could answer the problem.

In conclusion, the ML Blaster virus was not as problematic as many had assumed it would be. While viruses have become a commonplace enemy of average computer users anti-viruses have become just as easy to find. Unlike Melissa, Code Red , and Salmmer the ML Blaster virus was quickly identified and nipped in the bud. For most users the months of frustration taken to rid the virus was turned into a matter of days or even hours. This could be a sign that the security experts of the internet are beginning to learn how to deal with modern viruses without as much of a problem as they had once had. Perhaps the mind of man has finally caught up with the technology it has created.


Pchelp. Newsgroup. Rpc worm, probly one of many. 11 Aug. 2003

Mgwmp. Newsgroup. Mystery virus w32/lovsan. 11 Aug. 2003

Ntcanuck. Newsgroup. Msblaster > teekids.exe. 13 Aug. 2003

Govpeon. Newsgroup. Msblast detection. 13 Aug. 2003

Hal. Newsgroup. Fight blaster with exploit? 17 Aug. 2003

Lab1. Newsgroup. Slammer may be involved in blackout 2003. 20 Aug. 2003

Fisher, Dennis. “Blaster variant on the loose.” Eweek 13 Aug. 2003

“WORM_MSBLAST.A – Description and solution.” Trend Micro 11 Aug. 2003

“CODERED. A – Description and solution.” Trend Micro 18 Jul. 2001

“WORM_SQLP1434. A Slammer – Description and solution.” Trend Micro 25 Jan. 2003

“W97M_MELISSA. A – Description and solution.” Trend Micro 9 Mar. 2000

“Nachi” Network Associates 18 Aug. 2003