NISER: BLASTER WORM ON WANE, NEW WORM MUTATING
21st August 2003 (NISER)

KUALA LUMPUR. August 21: NISER, the National ICT Security Emergency Response Centre, says a new computer virus, or worm, that began propagating into the Internet since August 18 had hit many local organizations' internal networks, including government agencies, multinationals and financial institutions.

This resulted in the computer networks of several organizations to grind down to a stand-still mode on August 19.

A spokesperson from NISER said that as of today, the worm traffic is still present in the Internet although the number has reached a saturated level.

"NISER receives feedback from other computer emergency response teams (CERT) in the Asia Pacific region and many of them informed us of seeing the same surge in this worm traffic within their operating areas. This worm, known as W32/Welchia Symantec and W32/Nachi by McAfee propagates effectively in a local area network (LAN) computing environment.

""NISER observed that a single infected machine produces 3,900 scannings (probes) per minute into a network which causes massive congestion in most private networks." said Raja Azrina, NISER's deputy director of technology and operations.

According to NISER, initially, many organizations thought they were hit by last week's blaster worm when in fact the culprit was a new worm. This wrong assumption had caused ineffective remedial action within organizations.

Those who reported to NISER and diligently followed the procedures recommended, said they had successfully cleaned their network from the worm within a few hours on the same day.

The NISER spokesperson went on to say that this worm was also known as a "good worm" because it cleans up the Blaster worm and patches the computer to prevent re-infection.

"However, the bad side of the worm is that it also injects additional traffic into the network, which causes the network to be flooded. This causes access to certain network services for Internet browsing and email, at some point impossible.

"It is very difficult to stop the worm from propagating due to the nature of the exploit carried out by the worm.

"It exploits ports and services commonly used in a LAN environment. It is like being in a house (network), with many doors (ports and services) providing access to many rooms (computers), and these doors are left open for the purpose of access by the members of the household. What happened was several of the rooms being flooded and the "water" (worm traffic) spilling into all the other rooms," added Raja Azrina.

In a sampling from their research network, NISER saw the first mutation of the worm appearing at 10am on Aug 18 Malaysian Time.

The intensity of traffic increased four-fold in the first four hours. NISER observed a difference when the blaster worm caused an increase of traffic destined to port TCP 135 (one of the services used in a network) while the W32.Nachi worm resulted an even larger number of icmp traffic (a protocol allowed to communicate across network) propagating within the network.

"We observed the mutation of the worm. The blaster worm activities almost completely disappeared on the Internet over the past two days due to the clean up done by the W32.Nachi worm.

The Malaysian Computer Emergency Response Team, or MyCERT, which offers free computer emergency response service operated by NISER, produced an advisory August 19. Internet users and organizations are urged to refer to the advisory produced at http://www.mycert.org.my.

"All vulnerable systems need to be patched, regardless if they have or have not been infected by the worm.

NISER predicts that within the next few months, several organizations may experience sporadic outbreak of this worm within their private networks if they fail to take preventive measures to patch the vulnerable systems.

NISER would also like to alert the public on the new email-borne worm called Sobig-F that had hit Internet late evening 19th August.

This has overwhelmed many organizations that are struggling to recover from the Nachi worm at present.