"It never rains but it pours", August has been a busy month for viruses and worms.
It started with a mass-mailer, W32/Mimail.A on 2 August. To fool recipients into opening the attachment it uses a social engineering trick: Mimail forges the sender's address as 'admin@
However, Mimail was eclipsed on the 12th of August by W32/Blaster.A, a worm that exploits the DCOM vulnerability in the RPC service in some versions of Windows. A patch to fix the vulnerability has been available from Microsoft since the 16th of July. Blaster caused widespread disruption, a lot because of its' tendency to cause Windows XP to shutdown frequently, and was reported in the Media worldwide. It is discussed in depth throughout the rest of this newsletter.
Another worm that exploits the DCOM vulnerability appeared on the 18th of August. Known as W32/Nachi.A or Welchia or Welchi, it also exploits the WebDAV vulnerability in IIS 5.0, Microsoft issued a patch to fix the vulnerability on the 17th March this year. An interesting feature of Welchia is that it attempts to download and install the patch to fix the DCOM vulnerability from Microsoft. Welchia also searches for new hosts to infect by sending ICMP echo request ("ping") packets, some sites have found it necessary to block these packets because the flood of traffic is effectively a distributed denial of service attack.
On the 19th of August, another mass-mailer, W32/Sobig.F, started spreading. It contained a date trigger, set for 3am on 23rd August, Hong Kong time, when it would attempt to download and execute an unknown program. This is discussed further in the article, "Doomsday Countdown", below. By August 22nd, the outbreak of W32/Sobig.F had become the biggest recorded so far - MessageLabs stopped about 1.5 million infected messages, mostly carrying W32/Sobig.F that day, accounting for one in 17 of the emails they processed. Although the numbers have decreased since then, W32/Sobig.F is still the most prevalent virus in MessageLabs statistics.