Blaster Seizes Control, Politburo Disbanded

Okay, so that last part was a joke. In stark contrast comes the rapid spread of a new internet worm, which seems to have taken many by surprise and is continuing to infect users with unprecedented rapidity.

It goes by several names - MSBlast, W32.Blaster, Lovsan - and has a relatively mild (but annoying) payload: it uses a DCOM RPC exploit to shutdown a critical system service and cause the infected computer to reboot at random intervals. It will also attempt to send itself on to another computer by generating a random IP address and sending a TCP request to port 4444 of the target host.

More information and removal instructions can be found here. Note that many anti-virus programs will not detect or remove this virus; if you have received it, follow the removal instructions above, then visit the WindowsUpdate site and apply the necessary security patches to bring your computer up to date. Even if you haven't received the virus, apply said patches anyway, since you don't actually need to open any e-mail attachments to be infected. Your computer just has to run Windows XP or 2000 and have ports 4444, 135, and 136 open (which is likely to be most of you).

Fortunately, removal is relatively simple. At best, it necessitates running a simple patch. TrendMicro also have a patch available. At worst, it involves editing the registry and deleting the errant executable file.

The security flaw that the virus exploits was discovered over a month ago, and a security advisory and subsequent patch was immediately released by Microsoft and CERT. The worm (note the distinction) only affects users who have not applied the patch.

Of course, the real victims in all this are not computer users, corporations, or even the many hapless government departments which found themselves shut down (literally) - no, the real victims are the squadrons of exasperated IT support desk operators, each of whom must be inundated with calls from ignorant users who have no idea why their computers continue to reboot.

It's sad, really. Helpdesk operators become irate at the average user's inability to be prompt about installing security patches and the like, while the average user calls up their computer manufacturer or ISP, wondering what on earth is happening to their 'productivity tool'. While it's by no means ideal to have to install barrages of hotfixes, service packs, virus-scanners, hardware firewalls, NAT configurators, port-blockers, and software patches, it's also naive for consumers to expect that their whizz-bang piece of hardware is going to exempt them from software problems that plague other users.

Not since Code Red has a an internet worm infected so many so quickly. And users have until 16 August before any infected computers simultaneously activate a worldwide denial of service attack upon the root WindowsUpdate server. Funnily enough, though, many users are reporting that they will allow the worm to remain on their computer until after the 16th of the month, so they may participate in what promises to be one of the largest DoS attacks in recent years. I pity the WindowsUpdate server administrator...