MSBlast still spreading and variant appears

With administrators still struggling to patch their systems the MSBlast worm is spreading to around 2,500 new computers each hour and a new variant has also been released, according to anti-virus firms.

Security company Symantec, which directly measures the spread of the worm via sensors distributed throughout the internet, said the number of computers compromised by MSBlast – also known as W32/Lovsan and W32.Blaster - had reached 228,000 yesterday.

Alfred Huger, senior director of engineering for the company's security response team, estimated that millions of computers may still be vulnerable to the flaw, leaving administrators scrambling to patch systems before they fall victim to the worm's relentless spread.

"If people don't patch, there could be millions of infections," he said.

Symantec and rival anti-virus companies Network Associates, Kaspersky Labs and Central Command all warned users of a modified version of the worm that apparently differs by only a few file names but otherwise is identical to the original. Network Associates also discovered a third version of the worm that apparently changes a file name and a registry key.

Huger said that because the variants don't repair the worm's flawed method of selecting new targets, they won't change the overall properties of the current epidemic. "The variant spreads roughly at the same speed" as the original worm, he said.

The introduction of the MSBlast worm ended nearly a month of speculation over when a programmer would commit the obvious crime of writing a worm that takes advantage of a vulnerability in a widely used feature of Microsoft Windows. The worm pieces together code to exploit the most recent major flaw in Windows with publicly available tools such as the Tiny, or Trivial, File Transfer Protocol (TFTP) server.

Estimates of the size of the MSBlast epidemic vary widely.

The Computer Emergency Response Team (CERT) Coordination Center, a clearinghouse for information on internet threats, said as many as 1.4 million internet addresses seemed to be the home of computers the worm - or an earlier attack program on which the worm was based - had compromised.

But Art Manion, an internet security analyst with the CERT Coordination Center, said the media widely equated the data with the total number of computers infected. In reality, the number could be less, because the dynamic address assignment broadband providers use for home users could significantly inflate the apparent number of infections.

"One million (infections) is probably an order of magnitude too high," Manion said. Instead, "hundreds of thousands" of compromised computers is far more realistic."

Symantec and threat-tracker Internet Storm Center - two organisations that based their data on direct internet measurements - each recorded less than 250,000 infected computers by Wednesday.

Johannes Ullrich, chief technology officer for Internet Storm Center, said: "The spread is stabilising,"

During the past 12 hours, Symantec has detected from 420 to nearly 4,000 infections per hour, with an average of about 2,500 new computer compromised hourly. The worm, which security experts believe started spreading early Monday, scans for vulnerable computers so widely that an unpatched Windows XP computer on the internet could be infected in just 25 minutes, according to Symantec studies.

Still, the infection rate is much slower than that of the Code Red v.2 worm, which - at its fastest - compromised 100,000 computers in about five hours and about 350,000 computers in a day. If the rate holds, the MSBlast worm could infect a million computers in less than two weeks.

Robert Lemos writes for CNET News.com