Newest Blaster Variant Plugs Hole

It seems that another internet worm, sometimes called Worm_MSBLAST.D and sometimes called W32.Nachi-A, is making the rounds. This one, however, appears to be on a mission to repair the damage done by last week’s MSBLAST worm. It “infects” computers, attempts to remove the original Blaster worm, then download and install the patch to protect against another infection by Blaster. There’s no evidence so far that anything malicious is done by the new worm. Any time an unauthorized program runs on your PC it’s bad news, but in the long run, maybe this will help clean out machines that were never patched or that have users too clueless fix them.

Also, a new version of the Sobig e-mail attachment virus is spreading. This latest incarnation is W32.Sobig.F.

The worm arrives in e-mail messages with nondescript subjects such as “Re: Thank you!” “Your details” and “Re: wicked screensaver.” The worm code is stored in attached executable files with names such as “your_document.pif,” “details.pif” and “movie0045.pif,” according to [anti-virus company] F-Secure.

Unlike earlier versions, which all originated from the same e-mail address, or claimed to be from Bill Gates, W32.Sobig.F

inserts e-mail addresses stolen from the victim’s computer into the “From:” field, creating the impression that the e-mail was sent from a trusted source, F-Secure said. Like earlier Sobig variants, Sobig.F comes with an expiration date. The worm will stop spreading on September 10. Copies of Sobig.F that are launched after that date will shut down immediately, F-Secure said.

Rough week for the A-V people. Or maybe a good week, from a software sales perspective?