Lock IT Down: Blaster, Welchia, and SobigF pose triple threat to networks

The serious threat posed by the Blaster, Welchia, and SobigF worms to unpatched networks

After several months of relative calm on the virus front with only low-level threats, last week the Blaster worm assaulted many networks and wreaked havoc on a lot of PCs. This week, the Welchia worm—which is actually supposed to remove Blaster—arrived and began causing additional problems. Not only that, but a hot new version of the old Sobig mass-mailing worm has turned lethal and begun infecting many systems with its own brand of mischief.

Despite repeated warnings from Microsoft, columnists, and even the U.S. federal government, a lot of systems are experiencing serious denial of service (DoS) attacks from the Blaster (a.k.a. msblast.exe, Lovsan, and Posa) worm. Blaster takes advantage of a DCOM RPC vulnerability in newer Microsoft Windows operating systems. If an unpatched system with an open port 135 is attacked, the worm will attempt to install and run msblast.exe.

Fortunately, the initial worm was poorly designed. However, by Wednesday afternoon (Aug. 13), Kapersky Labs reported that its security team had already seen a slightly "improved" version that could coexist in the same computer with the original version—meaning that you can have two Blaster infections simultaneously. Files in the new version are teekids.exe (5.3K) and penis32.exe (7.2K).

As CNET reported, "MSBlast does not spread via e-mail. Instead, it scans the Internet on port 135 looking for vulnerable computers. When it finds one, it attempts to exploit the DCOM RPC buffer overflow, create a remote root shell on TCP port 4444, then use FTP to download a file called msblast.exe onto the infected computer. MSBlast contains a denial-of-service (DoS) attack aimed at Microsoft's The attack will start on August 15 and continues throughout the end of the year."

This worm is easy to block by closing port 135 or by applying the Microsoft patch provided in Microsoft Security Bulletin MS03-026. But what if you have an infected system? Many users with the infection report their computers are rebooting so often and generating so many error reports that they are unable to download the patch.

Simply activating Windows XP's minimal Internet Connection Firewall (ICF) appears to make it possible for XP-based systems to stay online and download removal tools or the patch. Symantec reports that other firewalls may be able to provide the necessary protection to help repair the system even after infection.

Symantec has also made available a free Blaster removal tool that deletes instances of the worm files and eliminates the registry values it adds. Other vendors' sites with removal instructions or tools include F-Secure, McAfee, and Trend Micro.

For those who can read this report but can't stay online long enough to download either the patch or one of the removal tools, here is some hands-on help offered by Global Hauri, which markets ViRobot Expert.

Global Hauri's Blaster removal instructions
  1. Disconnect your computer from the network.
  2. Reboot the computer in Safe mode by hitting the [F8] function key (top row of the keyboard) while rebooting and choosing the Safe Mode option.
  3. Wait until boot process is completed in Safe mode.
  4. Open Task Manager by simultaneously pressing [Ctrl][Shift][Esc] and then select the Processes tab.
  5. Find and highlight msblast.exe from Processes tab.
  6. To kill msblast.exe, click the End Process button in the bottom of the Processes window.
  7. Click Start and select the Search button. (It looks slightly different in WinNT, Win2K, and WinXP.)
  8. Choose All Files and Folders, type msblast.exe, and then search the entire hard disk. (If you have more than one drive, search them all.)
  9. Delete all msblast.exe instances from the search window.
  10. Reboot in Normal mode and plug in to the network.

Now you will be able to install antivirus software (or update the latest antivirus definitions) and the Microsoft security patch. For advanced users, Global Hauri recommends this extra step: Go to the registry and remove the key reg. msblast.exe from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

A worm released with the intention of fixing computers infected with Blaster is making the rounds and is causing far more damage than Blaster did. Welchia (a.k.a. W32/Welchia.worm10240, W32/Nachi.worm, WORM_MSBLAST.D, and Lovsan.D) attempts to remove Blaster and download/install the required system patch.

The problem with Welchia, besides the fact that it's just another cyberthreat, is that it takes over the "patched" system and uses it to scan the Internet for other Blaster-infected systems—and the bandwidth consumption is bringing individual systems and networks to their knees. Symantec has a report on Welchia, which includes a link to a removal tool and detailed manual removal instructions.

The latest version of Sobig can infect a system only if a user opens a malicious e-mail and then opens an attachment. Like other versions of Sobig, this one comes complete with an e-mail client and attempts to spread itself to e-mail addresses gleaned from the compromised computer.

The attachment always seems to be a filename ending in .pif, and the subject lines are intelligently designed to get people to open the attachment. Some examples are: RE: Details, RE: Approval, RE: Thank You, and RE: Your Application.

This is a very large worm (72K). Removing it from systems will be a complex undertaking, since you'll have to disconnect each compromised PC from any network before cleaning it. Details and removal instructions are available at the following security sites:

Final word
These three worms have brought down networks large and small. The information, links, and instructions provided here can help you avoid these nasty little devils or remove them if they have already infected systems on your network.

Editor's Picks

Free Newsletters, In your Inbox