A modified version of the W32.Blaster worm is on the loose, according to advisories from two security firms. But users whose machines are patched against the original Blaster should be protected against the variant as well.
Kaspersky Labs, a security firm in Moscow, this morning reported that it had detected a modified version of Blaster, also known as Lovsan, that takes advantage of the same vulnerability in the Windows interface that handles remote procedure calls (RPC).
The only changes seem to be in the appearance of the new worm and a new text string abusing Microsoft and antivirus writers, according to the the Kaspersky alert.
The name of the worm file has been changed from MSBLAST.EXE to TEEKIDS.EXE, according to Steven Sundermeier, a vice president at Central Command, a Medina, Ohio-based vendor of antivirus software. The variant also uses a different code-compression method than the original, he says.
An official at the CERT Coordination Center at Carnegie Mellon University in Pittsburgh said the centre had not heard of any variants so far. But given the amount of exploit code available that can take advantage of the RPC vulnerability, the reported appearance of variants isn't surprising, says Art Manion, an internet security analyst at CERT.
Meanwhile, the original worm still appears to be spreading, but at a slower pace. At this point, "it's more of a slug than a worm really," says Russ Cooper, an analyst at TruSecure, a security vendor in Herndon, Virginia, and moderator of the NTBugTraq mailing list. "It's crawling along at a very slow rate."
So far, TruSecure's servers have recorded attacks from about 471 unique Internet Protocol addresses -- or about 13 new ones every hour, Cooper says. About 88% of the attacks on TruSecure's servers are from new IP addresses.
CERT estimated the number of infected systems worldwide as being "in the low hundreds of thousands," Manion says.