Worst virus week continues Four new major virus cases within 24 hours Helsinki, Finland - August 19, 2003 "This reminds me of fall 2001", comments Mikko Hyppönen, Director of Anti-Virus Research at F-Secure Corporation. "Year 2001 still stays in history as the worst virus year ever, but this is starting to get just as bad. Within one week we’ve seen several major virus outbreaks as well as some completely new techniques in viruses". Lovsan The Lovsan (or Blaster) network worm started to spread on Monday, August 11, 2003. The worm spreads in an executable named MSBLAST.EXE to Windows 2000 and Windows XP systems unless recent Windows security patches have been applied. The infection is completely invisible to the end user and the worm will then keep on replicating from every infected machine. Lovsan has already infected hundreds of thousands computers and addition to the first Lovsan three new variants have been found. The latest one, Lovsan.D, was discovered on August 19, 2003. Welchi Welchi (or Nachi) worm was first discovered on August 18, 2003. It uses the same RPC hole to infect machines as Lovsan. However, Welchi also tries to infect web servers running Microsoft IIS 5.0, by exploiting a WebDAV vulnerability found in March 2003. Welchi is clearly much more advanced than the relatively simple Lovsan worm. When infecting a computer that already has been infected by Lovsan, Welchi kills Lovsan and removes the infection. In addition to this feature, the worm will try to apply the Microsoft patch to close the RPC hole. Welchi is programmed to die on January 1st, 2004. After this date the worm will uninstall and remove itself from infected systems. Biggest side effect of Welchi is that it generates lots of network traffic – enough to cause problems for some routers and switches. Sobig.F This worm is part of the Sobig family, which was started by Sobig.A in January 2003. Sobig.F, which was discovered on August 19th, is then the fifth variant of this worm. Sobig variants all stop spreading on certain date. When the previous variants expired, the next variant would start spreading. All Sobig versions have spread widely. “Sobig.E was programmed to die on July 14th, and we expected to see the next version around that time. However, apparently the virus writer has been on vacation since it took four weeks for Sobig.F to appear”, Mikko Hyppönen says. Sobig variants typically install backdoors to infected systems. Some of them have been used to send massive amounts of spam. Lovsan.D Lovsan.D is a new variant of the Lovsan worm, with modified attachment name. Instead of msblast.exe the attachment is now named mspatch.exe. Dumaru Dumaru was found on August 19th and it exploits the fuss caused by the Lovsan worm. Dumaru will send an email message spoofed to be from support@microsoft.com. According to the body text the attached PATCH.EXE file will fix the vulnerability. If this attachment is opened, the machine will be infected. Dumaru also installs a backdoor through which the virus writer can remotely control the machine. Detailed technical descriptions of the worms as well as screenshots are available in the F-Secure Virus Description Database at http://www.f-secure.com/v-descs/sobig_f.shtml http://www.f-secure.com/v-descs/welchi.shtml http://www.f-secure.com/v-descs/msblast.shtml http://www.f-secure.com/v-descs/dumaro.shtml http://www.f-secure.com/v-descs/lovsand.shtml F-Secure Anti-Virus can detect and stop these worms. F-Secure Anti-Virus can be downloaded from http://www.f-secure.com About F-Secure Corporation F-Secure Corporation is the leading provider of centrally managed security solutions for the mobile enterprise. The company's award-winning products include antivirus, file encryption and network security solutions for major platforms from desktops to servers and from laptops to handhelds. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since November 1999. The company is headquartered in Helsinki, Finland, with the North American headquarters in San Jose, California, as well as offices in Germany, Sweden, Japan and the United Kingdom and regional offices in the USA. F-Secure is supported by a network of value added resellers and distributors in over 90 countries around the globe. Through licensing and distribution agreements, the company's security applications are available for the products of the leading handheld equipment manufacturers, such as Nokia and HP. Media queries to: Mikko Hypponen, Director, Anti-Virus Research F-Secure Corporation Tel. +358 9 2520 5513 Email: Mikko.Hypponen@F-Secure.com Mikael Albrecht, Product line Manager Tel. +358 9 2520 5640 Email: Mikael.Albrecht@F-Secure.com Media contact in the USA: F-Secure Inc. Heather Deem, 675 N. First Street, 5th Floor San Jose, CA 95112 Tel +1 408 350 2178 Fax +1 408 938 6701 Email Heather.Deem@F-Secure.com