An Update On:

Sobig.F and Blaster

Boring Variants Still Annoy Users

August 19 2003

Virus Update

Two worms have been bouncing around the Internet today like superballs in a racquetball court. But if you're a LiveSecurity subscriber, the worms should be all bark and no bite.

Sobig.F and Nachi are new variants of past worms (Sobig and Blaster, respectively) using the exact same infection methods as their predecessors. If you've already protected yourself from Sobig and Blaster, Sobig.F and Nachi should have no affect on your network at all. Nonetheless, these new variants have caused huge increases in ICMP traffic, continuous port 135 scans, and a huge infliction of email messages asking the recipient to, "See the attached file for details."

Although these variants are raging against your machines, we don't expect them to affect you if you've applied the solutions from our latest Sobig and Blaster alerts. You'll likely receive many Sobig.F e-mails "defanged" by your SMTP Proxy, and might even hear about the "good Samaritan" Blaster worm, so we wanted to let you know not to worry. If you're pressed for time, you can stop reading here. If you're curious about basic details concerning these variants, read on:

• Sobig.F. Sobig.F is an unimaginative variant of the Sobig virus. It can have different subject lines, body text, and attachment names, but the attachment file types are still .SCR and .PIF. Any message asking you to "see its attachment for details," is probably this new Sobig variant and you'll probably see a lot of these messages today. Firebox users that followed the advice in our last Sobig Alert, and blocked the .SCR and .PIF attachment types using the SMTP Proxy, will still receive a "defanged" Sobig.F e-mail. But without the infectious attachment, the worm is impotent. Like previous Sobig variations, version F comes with a built-in expiration date (September 10).
  
  Anti-virus software manufacturer Sophos believes that Sobig's writer may have launched it using spamming technology, a rotten innovation we hope other worm authors fail to copy. If your network is small enough for you to consider a client-based solution that requires individual installation on each PC, you'll find additional protection from Sobig by using the free tool SpamBayes.

• Nachi (also known as Welchia, MSBlast.D and LovSan.D). Nachi is a new variant of the Blaster worm that exploits Microsoft Window's DCOM RPC buffer overflow described in our July 16 Information Alert. Nachi exploits the DCOM vulnerability in the same way as the original Blaster worm but is also capable of exploiting the Webdav flaw we reported on in our March 17 Information Alert. In a unique twist, Nachi doesn't attempt any malicious action but rather tries to download and install many Microsoft security patches in hopes of protecting you against future attacks. However, regardless of the worms seemingly benign intentions, there is no such thing as a "good worm." Nachi causes system instability and installs a rogue TFTP server onto its victim. But if you've followed the advice in our Blaster and Webdav alerts, this worm will not affect you.

As always, remember that worms don't always use your network's front door. Make sure all your mobile users have up-to-date virus software. And SMTP filtering is not going to stop an email traveling by a protocol other than SMTP; for a refresher on the topic, see the LiveSecurity article, "How Those Sneaky Emails Get In."

References:

WatchGuard Alerts:

• Sobig.E
• Blaster
• DCOM RPC Buffer Overflow
• Webdav Buffer Overflow

Sophos Alert:

McAfee Alerts:

• Nachi
• Sobig.F

Symantec Alerts:

• Welchia
• Sobig.F

Credits: Researched by Corey Nachreiner; written by Corey Nachreiner and Scott Pinzon