Symantec Sees Decrease In New W32.Blaster.Worm Infections
SYMANTEC SEES DECREASE IN NEW W32.BLASTER.WORM INFECTIONS
Systems in the United States, United Kingdom, Canada, Australia and Ireland Most Affected
CUPERTINO, Calif. - Aug. 13, 2003 - Symantec, the world leader in Internet security, today announced that it has seen an
initial peak in the number of new W32.Blaster.Worm infections. In fact, Symantec Security Response experts have noted a
30 to 40 percent decrease in infected systems from Monday, August 11 PDT to Tuesday, August 12 as monitored by the
Symantec DeepSight Threat Management System.
"The W32.Blaster.Worm, which propagates via the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability, has
been spreading worldwide at a much slower rate than CodeRed, Nimda or Slammer," said Alfred Huger, senior director
Symantec Security Response.
"The potential for infection with W32.Blaster.Worm, however, is much greater than previous worms due to the overwhelming
number of machines that are affected by the MS RPC Buffer Overrun vulnerability."
Of the 188,000 hosts infected, the top five countries currently affected are the United States (48 percent), United
Kingdom (15 percent), Canada (5 percent), Australia (3 percent) and Ireland (2 percent).
Although the number of new infections is declining, two variants have been identified. W32.Blaster.B.worm and
W32.Blaster.C.worm, variants of W32.Blaster.worm, differ only in that they rename the executable to Penis.exe, and
Teekids.exe respectively. Symantec Security Response has rated these variants as Level 2 threats. In addition, Symantec
has discovered a new Trojan, W32.Randex.E that also takes advantage of the vulnerability. This Trojan allows its creator
to control a computer by using Internet Relay Chat (IRC) and is also rated a Level 2.
The Symantec DeepSight Threat Management System, part of Symantec's Early Warning Solutions, tracks security threats and
provides quick analysis countermeasures to protect against malicious threats on a global basis. The most extensive data
network in the world, the solution gathers data from firewalls and intrusion detection systems (IDS) of more than 20,000
partners in more than 180 countries - offering the most comprehensive view of what is happening on the Internet.
Symantec Security Response encourages network administrators to implement the following:
* Ensure that all available patches and feasible mitigating strategies provided in Microsoft Security Bulletin
MS03-026 have been applied. The patch is available at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS03-026.asp
* Ensure that the following ports are filtered at the network perimeter and between all untrusted network
segments: udp/135, udp/137, udp/138, tcp/135, tcp/445 and tcp/593.
Symantec Security Response encourages home users to immediately install the latest patch from Microsoft and update their
virus definitions to protect against W32.Blaster.Worm.
W32.Blaster.Worm Removal Tool Symantec Security Response has posted a removal tool for W32.Blaster.Worm. The removal
tool is available from: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.rem oval.tool.html.
Symantec Security Solutions Symantec's full application inspection firewalls protect against W32.Blaster. Worm by
default, blocking all vulnerable TCP ports 135, 139, and 445. For Windows-based firewalls, Symantec's unique initial and
ongoing system hardening automatically protects the firewall itself from this RPC-based attack. For maximum security,
third generation full application inspection technology intelligently blocks tunneling of DCOM traffic over HTTP
channels thus providing an extra layer of protection not readily available on most common network filtering firewalls.
For protection specifically at the desktop, the firewall technology in Symantec Client Security and Norton Internet
Security provide default protection against this threat.
The protocol anomaly detection technology in Symantec ManHunt detects the activity associated with this Microsoft
exploit as "Portscan." Customers can also use the signatures that Symantec released on July 25, 2003, which includes the
"Microsoft DCOM RPC Buffer Overflow" custom signature to precisely identify the exploit being sent. These signatures
were designed to detect the exploitation of the RPC DCOM buffer overflow and are not specific to the W32.MSblaster.Worm.
By using these signatures, Symantec ManHunt is able to generically detect the worm attacking/infecting a new host.
Symantec Enterprise Security Manager (ESM) has detected the underlying vulnerability that this worm exploits since July
17,2003 (through LiveUpdate and Web site download). Symantec ESM is an industry-leading security policy compliance
solution that enables enterprises to create customized security policies and manage policy compliance in mission
critical business applications and servers across a heterogeneous enterprise from a single location.
Symantec's antivirus solutions, such as Symantec AntiVirus Corporate Edition, with current virus definitions
automatically protect against W32.Blaster.Worm.
About W32.Blaster.
Worm W32.Blaster.Worm is a worm that exploits the DCOM RPC vulnerability using TCP port 135. This worm attempts to
download the msblast.exe file and execute it. The worm also attempts to perform a Denial-of-Service attack on Windows
Update. This is an attempt to prevent users from applying a patch on their systems against the DCOM RPC vulnerability.
For more information on this worm, or to learn how to delete and scan for infected files, visit the Symantec Security
Response Web site at
About Symantec
Symantec, the world leader in Internet security technology, provides a broad range of content and network security
software and appliance solutions to enterprises, individuals and service providers. The company is a leading provider of
client, gateway and server security solutions for virus protection, firewall and virtual private network, vulnerability
management, intrusion detection, Internet content and email filtering and remote management technologies as well as
security services to enterprises and service providers around the world. Symantec's Norton brand of consumer security
products is a leader in worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has
worldwide operations in 36 countries. For more information, please visit www.symantec.com .
### NOTE TO EDITORS: : If you would like additional information on Symantec Corporation and its products, please view
the Symantec Press Center at on Symantec's Web site. All prices noted are in US dollars and are valid only in the United States. Symantec and the
Symantec logo are trademarks or registered trademarks, in the United States and certain other countries, of Symantec
Corporation. Additional company and product names may be trademarks or registered trademarks of the individual companies
and are respectfully acknowledged.
ENDS