MSBlaster Aftermath

Over the last week or so, I've received a large quantity of acerbic email. Fortunately, the vitriol expressed wasn't aimed at me but rather at the coworkers of the folks who wrote to me. I received roughly equal amounts of mail from both categories of my typical readers: power users and IT professionals. Each group, perhaps not surprisingly, pointed their finger at the other group. I've seen logical disconnects occur between the IT world and the real world before, but rarely on this large a scale.

The power users complained about the incompetence of their companies' IT staff for letting the MSBlaster (Lovsan) virus wreak havoc throughout their network. The IT pros complained about users who opened messages that they shouldn't open. In this case, I stand firmly in the middle: Both sides are right. On one side of the equation, users shouldn't open attachments willy-nilly. They need to understand the potential consequences when opening executable files, and they should run local antivirus software. Users should also take some responsibility for keeping their computers up-to-date. After all, if you can remember to change your car's oil every 3000 miles, you can remember to check Windows Update once a month. On the other side of the equation, IT professionals who don't keep their firewalls locked down, don't update their servers regularly, and don't work with their users are incompetent. Attending to those tasks is basic to working in IT, and if you don't do them properly, you have no one but yourself to blame when things go wrong. Don't assign blame, and don't make excuses; your friends don't need to hear it, and your enemies won't believe it.


New Virus Hits

In a plot twist worthy of a Luddite-inspired science fiction movie, a new virus that's designed to make your computer healthier is on the loose. A new version of the MSBlaster virus was reported on Monday. Lovsan.D (aka Welchia/Nachi) makes use of the same Windows exploit that MSBlaster used to cause remote procedure call (RPC) attacks to crash networks everywhere. However, rather than replicating and attacking RPC ports, Lovsan.D installs itself and looks for MSBlaster. If it finds MSBlaster, Lovsan.D then deletes that virus, downloads the patch from Microsoft, and applies it, preventing future attacks that use the same exploit. Once Lovsan.D has done its work, it checks the date--if the date is later than January 1, 2004, Lovsan.D deletes itself.

I don't know which is worse--that someone wrote a worm to clean up after a previous worm, or that people still exist who live in Internet-connected caves and run unpatched systems. We're fortunate that this most recent virus attack falls into the "annoyance" category, rather than the "blatantly destructive" category. Given the number of computers that MSBlaster affected, had Lovsan.D been of a type to destroy data rather cause a Denial of Service (DoS), we'd be cleaning up for the next 6 months. If you'd like more details about this new virus variation, check out the following sites and articles: http://www.sophos.com/virusinfo/analyses/w32nachia.html http://vil.nai.com/vil/content/v_100559.htm http://www.wininformant.com/articles/index.cfm?articleid=39898

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish