Not another Computer Virus!!
WORM_MSBLAST.A and WORM_SOBIG.F hit internet users hard.

COMNEXIA® Press Release / Atlanta, Georgia / September 1, 2003

August was a big battle month for most corporate users fighting the latest internet born malicious virus code. WORM_MSBLAST.A and WORM_SOBIG.F (nick named MS Blaster and SOBIG.F) rattled IT infrastructures in epic proportions.

WORM_MSBLAST.A - At COMNEXIA®, we took the sting out of MS Blaster for our customers by always recommending a standard firewall appliance. COMNEXIA® networks that had this appliance suffered little to no down time due to this worm. This vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface allows an attacker to gain full access and execute any code on a target machine, leaving it compromised. Since the worm propagates itself based on specific ip port 135, our firewall appliance blocked network entry to this worm.

WORM_SOBIG.F - This worm propagates by mass-mailing copies of itself using its own Simple Mail Transfer Protocol (SMTP) engine. It collects email addresses from files with the following extensions:

  • .DBX
  • .HLP
  • .MHT
  • .WAB
  • .HTML
  • .HTM
  • .TXT
  • .EML

The shear volume of email generated by this virus clogged ISP routers to the point at which small businesses with slower internet up-streams (i.e.: dial-in, ISDN, DSL) could in most cases not function over the internet at all. The unique vulnerability that this virus brought to reality allowed workstations totally outside of a corporate computer network to team up and attack a given specific network. In most cases this attack was simply a result of an out-of-network workstation using email addresses stored in one of the above mentioned file formats on a compromised workstation. Corporations that have outside sales staff or that have remote locations routinely have their entire global email address list stored in system outside the corporate network. As these systems were infected, a major SMTP broadcast attack would ensue. The COMNEXIA® team took a unique approach to stopping these types of attacks. Our team of technicians helped a customer tech contact at each location isolate the ip address source of each email attack. At a core router level COMNEXIA® then turned off all access to that specific infected user. When the userÌs system was determined to be clean and healthy, we then removed the ip block.

Copyright © 2007 COMNEXIA® Corporation, Atlanta, GA