New Worm Targets Windows Flaw

The worm--identified by at least three different names depending on which security vendor is issuing the warning--has the potential to cause a denial-of-service attack.

Managed security services firm Lurhq, which has called the worm MSBlast, said scans for the RPC flaw have increased 300 percent since Sunday due to the new worm.

The worm scans random ranges of IP addresses on port 135 for the security flaw, according to AVERT researchers at Network Associates, which called the worm Lovsan. It sends exploit code to vulnerable systems and instructs them to download and execute the file MSBlast.exe from a remote system via TFTP, the company said.

Network Associates rated the worm "medium on watch" because of its spread. Symantec, which has dubbed the worm Blaster, rated the threat as a three on a scale of one to five.

Lurhq researchers said the worm can scan systems for the vulnerability at a rapid clip--20 hosts per second. The firm advised clients to apply the patches in Microsoft's Security Bulletin MS03-026 immediately and to block network access to the RPC service at network borders.

The flaw is a buffer overflow in a component of the Remote RPC protocol that is used by Windows. The vulnerability affects an interface with RPC that deals with message exchange over TCP/IP port 135, according to Microsoft.

Microsoft issued a patch for the flaw--which affects most versions of Windows, including Windows Server 2003--last month.