Blaster Variant on the Loose

Security experts report that some copies of the variant are coming packed with various known Windows Trojan programs.

Security experts are now tracking a new variant of the Blaster worm that was first spotted Wednesday morning.

The new version is nearly identical to the original, except for a new name on the executable file and a different registry key. The variants file name is "teekids.exe," and the key it adds to the registry is: "Microsoft Inet Xp.." The key is located in the same place as Blasters key is, according to Neel Mehta, research engineer at Internet Security Systems Inc. in Atlanta.

"Some of our customers say that theyre seeing more copies of the new one than the old one, but I think thats just bad luck," Mehta says. "It scans exactly the same way and acts exactly the same as Blaster."

Mehta said that some copies of the new variant are coming packed with various known Windows Trojan programs, as well.

The Blaster worm, also known as LoveSan, began infecting Windows NT, 2000 and XP machines Monday afternoon and has been spreading rapidly ever since. The worm exploits a vulnerability in the Windows RPC (Remote Procedure Call) service and sucks up a lot of bandwidth scanning for other vulnerable machines once it has infected a PC.

Microsoft made a patch available for the flaw in mid-July when the vulnerability was first disclosed, and those people who waited until now to apply it are running into serious problems. Between the slow response on the Windows Update Web site and the fact that infected XP machines fall into a continuous reboot cycle once the RPC service fails, many users have been unable to download the fix. Users can also download the patch from the Download Center at Microsofts main Web site.


There are some other alternatives for cleaning up Blaster, though. On XP machines, users can enable the Internet Connection Firewall, which blocks the worms activity, and then try to download the patch. Users running other operating systems can install other personal firewalls or follow a set of steps to disable the DCOM (Distributed Component Object Model) service in Windows to prevent infection by Blaster, and then install the patch, according to officials at the CERT Coordination Center.

However, on machines running Windows 2000 Service Pack 1 or 2, this method does not completely disable DCOM, security experts said.

In addition to causing major headaches for users and IT staffs, Blaster is also being blamed for some service problems on Comcast Corp.s cable modem network. Several Comcast customers said their service had been down for extended periods during the last couple of days and that Comcast officials said Blaster was to blame.