Worm double whammy still hitting hard

Nachi--also dubbed MSBlast.D and Welchia--is a variant of the MSBlast worm that started spreading on Monday and swamped corporate networks with its attempts to compromise computers. The worm aimed to patch vulnerable computers before the original MSBlast infected them, but its aggressive scanning for systems disrupted corporate networks.

The mass-mailing computer virus Sobig.F, which targets Windows computers, started multiplying on Tuesday morning, quickly adding to the network havoc.

America Online said it scanned 40 million e-mail attachments on Wednesday--about four times the average daily volume--and found more than 23 million copies of the Sobig.F virus. In addition, the number of support calls from home users jumped significantly because of the reaction of other e-mail systems to the virus, said Nicholas Graham, a spokesperson for the Internet service giant.

"This virus makes people think that they have been hacked, because they see the e-mailer notifications that have bounced back," Graham said.

Sobig.F, like previous variants of the virus, forges the source address of every e-mail it sends, using addresses culled from the Windows address book or found in cached Web pages. When e-mail gateways detect a message with a virus attached, they typically dispatch a warning about the infection to the sender. In the case of Sobig.F, the response is sent to a person that most likely hasn't been infected.

"We are getting very successful at blocking the messages from e-mail daemons (server programs)," Graham said.

AOL estimates that it blocks as much as 75 percent of automatically generated e-mail messages. The other 25 percent accounted for a 25 million-message increase in the amount of e-mail that AOL processed over the past two days, Graham said.

Down to the roots
Internet service provider VeriSign said it was able to measure the effects of the Sobig virus and estimated that at least 100,000 computers on the Internet had been infected by the virus.

The ISP said it saw a dramatic increase in the number of mail-record lookups processed by its domain name system (DNS) root server in the past 24 hours. The increase was caused by the component of the Sobig.F virus that sends e-mail, it said.

The Sobig.F virus spreads by sending a copy of itself to the addresses in an e-mail message with a subject line such as "Your Details," "Re: Approved," and "Thank you!" The virus also spreads by copying itself to shared network hard drives that are accessible to the infected computer.

Every time the mini-mail server sends off a copy of the virus, it looks up data from the DNS root servers, the authoritative address books of the Internet. VeriSign controls one of the 13 primary servers and has seen an amount of mail-record lookups jump by a factor of 20 since Tuesday morning, according to John Ferguson, director of marketing for security services for the company.

"The majority of the messages that are sent across the Internet normally don't come up to the root level," Ferguson said. "Now, (infected computers in) thousands of networks are doing the lookups."

Ferguson said that VeriSign has found lookups coming from several tens of thousands of network addresses, making it very likely that at least 100,000 computers are infected by the Sobig.F virus.

On Thursday, Symantec said that the Nachi worm--which the company calls W32.Welchia--and the original MSBlast worm combined had infected more than a million Windows computers. In four days, the number of computers compromised by the MSBlast variant had surpassed the original worm, according to Alfred Huger, senior director of engineering for Symantec's security response team.

"There are a lot of companies that have been disrupted by W32.Welchia," Huger said. "A lot of the people who are getting it under control are doing so because it couldn't get any worse."

Downing tools
MSBlast and its variants, and the Sobig.F virus, have disrupted several companies, including those responsible for critical parts of the United States' infrastructure.

• Defense contractor Lockheed Martin had less than 1 percent of its systems infected, but still had disruptions.

• The Massachusetts Institute of Technology found its e-mail servers congested from the amount of messages created.

• Railway and freight hauler CSX had to stop trains because of the Nachi worm, the Associated Press reported.

• Airline Air Canada canceled flights on Tuesday because its network couldn't deal with the amount of traffic generated by the Nachi worm.

• The Pentagon and military had myriad infections of the Sobig.F virus and the Nachi worm, various news agencies reported.

The MSBlast worm also continued to have some unforeseen effects on non-Microsoft hardware.

Hewlett-Packard revealed on its customer support Web site that its HP OpenView network management software has been hit by the specific type of data that MSBlast uses to compromise vulnerable computers.

"HP OpenView has determined that the worm virus recently referred to as 'Blaster'...may impact HP OpenView products running on Microsoft Windows, HPUX, Solaris and Linux," the company stated in an advisory. An HP spokesperson couldn't be immediately reached for comment.

In addition, network administrators reported on a newsgroup that telecommunications equipment maker Lucent Technologies' TNT MAX network gateway crashed due to some interaction with traffic created by the MSBlast worms. A representative for the company confirmed that Lucent was investigating the issue, but couldn't supply details.

The Slammer worm that took advantage of a six-month-old security flaw in Microsoft's SQL Server and related database software also affected non-Microsoft products. Several product contained the vulnerable code.