This week’s virus report focuses on the variants A and B of the Kelar worm (W32/Kelar.A and W32/Kelar.B), the hacking tool, HackTool/NTRootKit, associated to these viruses, and the new E variant of the Blaster worm (W32/Blaster.E). In addition, although this malicious code appeared a days ago, the dangerous Sobig.F worm (W32/Sobig.F) is also mentioned in this report, due to its dangerous activity.
Kelar.A and Kelar.B are two malicious code that join the list of viruses that exploit a vulnerability, known as RPC DCOM, in some versions of Windows. Both worms are very similar and they have been designed to get into computers -by exploiting this vulnerability- through port 135. Once they have reached a computer, they download the hacking tool HackTool/NTRootKit, which allows a malicious user to gain administrator rights on the affected computer. By doing this, these worms can hide processes, log keystrokes, run files and block the computer. In addition, Kelar.A and B connect to several IRC servers in order to send information on the attacked machine to the creator of the worm.
The E variant of the Blaster worm also exploits the RPC DCOM vulnerability. It is very similar to its predecessors, which vary only in the name of the file created on the affected computer, which in this case is MSLAUGH.EXE.
Blaster.E has been designed to carry out denial of service attacks (DoS) against the kimble.org website, whenever the system date is between August 16 and December 31, 2003.
In order to protect your computer against Kelar, Blaster.E and other worms like Blaster or Nachi.A, which are still affecting users days after they appeared, it is advisable to download the security patch from the Microsoft website . By doing this, you will prevent your computer from being infected by any other malicious code that exploit this vulnerability that may appear in the future.
Finally, the Sobig.F worm, which is the virus that has spread most widely in the least amount of time in the history of computers, is still a threat to the integrity of computer systems, specially in corporate environments. This virus can collapse networks in a matter of minutes.
As Sobig.F converts infected computers into authentic spam generators, this worm is continuing to spread rapidly around the world. A significant number of message carrying this worm are continuing to circulate around e-mail servers, and as a result the chances of being hit by this virus are still high.