Watch CBS News

X-SciTech

New Worms On Cyber-Prowl

/ CBS/AP

Two more computer worms - Nachi/Welchia and Sobig.F - have joined LovSan/MBlaster in the pack of cyber-prowlers looking to puncture privacy and take control of your computer.

The worm known as both Nachi and Welchia wreaked havoc Tuesday with Air Canada's airline reservation systems, creating long lines at the Vancouver airport as weary travelers were forced to check in manually.

Nachi/Welchia also popped up in various nooks and crannies in the United States, including Kentucky, where it interfered with state government computers which handle motor vehicle registration, Medicaid, food stamps, and child support.

Nachi/Welchia targets the same Windows computer users as does LovSan/MBlaster. But this worm has a peculiar Internet avenger-type behavior: it seeks to take control of your computer, delete LovSan/Mblaster if it is present, install the Microsoft patch to protect against LovSan/MBlaster, and then reboot your computer (which is part of the patch installation process).

"This new worm doesn't destroy the PC or do anything real harmful, but it starts sending out scans across the network," says Rodney Murphy, of the Kentucky Governor's Office for Technology, adding that the scans clog phone lines and can cause serious delays. "It can degrade the speed of a workstation to the point of being no different than shutting a PC down."

Kentucky expects its state computers - of which hundreds, if not thousands, were affected - to be running a little better by mid-day Thursday.

Irritating a far greater number of computer users is the Sobig.F worm, which popped up Tuesday morning and spread quickly worldwide.

Sobig.F attacks Windows users via e-mail and file-sharing networks. It also deposits a Trojan horse, or hacker back door, that can be used to turn victims' PCs into senders of spam e-mail.

MessageLabs Inc., a company that filters e-mail for corporations, had blocked more than 100,000 copies of Sobig.F by midday Tuesday, making it by far the most active virus of the day.

"It's definitely spreading very quickly, just an incredible ramp-up so far this morning," said Brian Czarny, marketing director at MessageLabs. The variant is likely to be one of the more successful versions of a very successful virus strain, he said.

The previous Sobig.A and Sobig.B variants are both on MessageLabs' list of the biggest 10 e-mail viruses of all time.

How can you tell if Sobig.F has come to call on you?

Subject lines for Sobig.F include: "Re:Details," "Re: Approved," "Re: Re: My details," "Re: Thank you!", "Re: That movie," "Re: Wicked screensaver," "Re: Your application," "Thank you!", and "Your details."

The message is likely to say: "See the attached file for details" or "Please see the attached file for details."

Attached files are likely to be: "your_document.pif," "document_all.pif," "thank_you.pif," "your_details.pif," "details.pif," "document_9446.pif," "application.pif," "wicked_scr.scr," or "movie0045.pif."

As is the case with many computer viruses, the trouble is unleashed if a recipient clicks on the attached file, at which point the computer will become infected.

Sobig.F sends itself out to names found in its victim's address books and will use one of these names to forge a return address. As such, the infected party may not quickly learn of the infection, while an innocent party may get the blame for helping to propagate it.

Symantec - maker of Norton Anti-Virus - has upgraded the threat of Sobig.F from a Category 3 to a Category 2, based on the number of submissions of the virus it has received from its customers.

Symantec also has, on its web site, a removal tool developed especially to target Sobig.F.

Like all the other Sobig viruses, this version is programmed to self-destruct after two weeks, in this case on Sept. 10.

And don't forget LovSan/MBlaster. That worm is still at large and if you're a Windows user who hasn't downloaded the Microsoft patch to protect against it, your computer is vulnerable to attack.

LovSan/MBlaster uses a published flaw in Microsoft's Windows operating systems to spread via network connections, without using e-mail. It slowed down the Internet and caused computer restarts worldwide, but the attack it was programmed to carry out against a Microsoft Web site last Saturday proved harmless.

Vincent Weafer, senior director of Symantec Security Response, says Nachi/Welchia is making it harder for many network administrators to clean up after LovSan/MBlaster.

"The worm (Nachi/Welchia) is swamping network systems with traffic and causing denial of service to critical servers," he explains.

LovSan/MBlaster is also affecting some computers in Ontario's emergency response system - networks involved in responding to the aftermath of last week's monster blackout.

It's "making our job more difficult," acknowledged Dr. James Young, Ontario commissioner of public safety.

First published on August 21, 2003 / 9:49 AM EDT

© 2003 CBS Interactive Inc. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report.

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.