- The Washington Times - Tuesday, August 19, 2003

Two new computer worms spread quickly across the Internet yesterday, causing everything from minor aggravation for e-mail users to total shutdowns of corporate networks.

Less than a week after the “Blaster” worm and its variants crippled hundreds of thousands of computers worldwide, computer-security companies issued warnings about W32.Welchia.Worm and SoBig.F, both of which can bog down computer networks and cause systems to crash.

The Department of Homeland Security issued a warning about Welchia, also called “Nachi,” because it has imbedded itself in hundreds of private networks and reproduces quickly enough to slow and even shut down Internet systems in what are known as “denial of service attacks.”

SoBig.F, meanwhile, spreads by sending itself to a random address in a user’s e-mail directory and can download files and distribute personal information. E-mail containing the word usually feature a subject line like “Re: Details” or “Re: Approved.”

The worm’s code is embedded in documents in the e-mail and can spread further if people open those documents. In some cases, SoBig will place files on a personal computer to steal confidential information, or create “open relays” or holes in e-mail systems that allow spammers to send unsolicited e-mail anonymously.

Macintosh and Linux users, though they are vulnerable to receive e-mail from the worm, are not at risk to have their systems invaded further.

Welchia, which is seen as the more damaging of the two worms, knocked the Navy Marine Corps intranet offline for most of Monday and yesterday, leaving thousands of Navy workers without access.

Lockheed Martin also said a portion of its company computers shut down Monday, forcing the company to briefly stop employees from accessing the company network while traveling.

Welchia is designed to find computers infected with the Blaster worm and enters computers using the same vulnerability in Microsoft XP, 2000 and NT software. But it also enters through a vulnerability in Microsoft’s server software, so anyone who was protected against Blaster is not necessarily protected against Welchia. And because it is able to enter computers through two vulnerabilities, it has spread quickly, causing many corporate networks to slow.

“This is actually causing more problems than Blaster,” said Russ Cooper, surgeon-general with TruSecure, a Herndon Internet security company. “There are networks going down.”

Blaster infected more than 500,000 computers worldwide last week, causing many to crash or restart without warning. Internet security companies said fewer computers are affected by Welchia but that it is more devastating because of its effects on corporate networks.

Welchia was originally viewed by some security experts as a “good” worm, because it deletes the Blaster worm from infected systems. But its fast propagation rate has meant the Welchia worm has done far more harm than good, analysts said.

“We’re not going to see hundreds of thousands of infections, but inside organizations we’re seeing significant impact,” said Vincent Weafer, a senior director with Symantec, a Cupertino, Calif., Internet security company. “Some of these companies are seeing some severe impact on business operations.”

Symantec upgraded Welchia to a four on its five-point threat scale, with five being the most serious. Blaster was also ranked as a four.

Internet security companies track how often worms and virus scan computer systems for vulnerabilities to exploit. Mr. Cooper said the amount of scanning related to the Welchia worm tripled yesterday compared with the previous 72 hours, when Welchia appeared.

To prevent both worms, security experts suggested that computer users download software patches from Microsoft’s Windows Update Web page and update their virus protection software.

Copyright © 2018 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times welcomes your comments on Spot.im, our third-party provider. Please read our Comment Policy before commenting.


Click to Read More and View Comments

Click to Hide