The activity began last Monday when a predicted attack on computers vulnerable through a flaw in Microsoft's Windows operating system, got underway. LoveSan, also known as MSBlaster, is estimated to have infected over 570,000 computers, causing the machines to crash and reboot every few minutes.
The worm was programmed to launch a denial of service attack – where a server is overloaded to the point of collapse – against Microsoft's windowsupdate.com web site last Saturday, but the attack never actually materialised because Microsoft removed the site.
A variant of Blaster has now emerged. This Welchia worm targets the same flaw, but patches it, rather than causing crashes. However this 'good' virus appears to be something of a double agent and internet security companies have issued warnings against it.
On Tuesday security firm Symantec upgraded the threat level of the worm from level two to level four.
"Despite its original intent, the W32.Welchia.Worm is an insidious worm that is preventing IT administrators from cleaning up after the W32.Blaster.Worm," said Vincent Weafer, senior director, Symantec Security Response. "The worm is swamping network systems with traffic and causing denial-of-service to critical servers within organizations."
Microsoft systems are also the target of a hoax e-mail, purportedly from Microsoft, that offers an updated patch for MSBlaster, which actually contains a Trojan horse.
This is a program that is installed onto a computer without the owner's knowledge, usually by deceiving the owner about what he or she is getting when opening an e-mail attachment or downloading a file from the internet. Once installed, the Trojan can carry out malicious acts such as destroying data or downloading material onto the computer without the user's knowledge.
IT managers are also battling a new variant of the SoBig virus. This, unlike the Blaster virus, propagates through e-mail, and takes the form of a mass e-mailing from an infected machine. The virus is contained in a .pif or .scr file attached to the e-mail.
To add to the difficulties, many users whose machines have been infected are finding themselves receiving auto-responses accusing them of trying to spread the SoBig virus. These are sent by gateway applications programmed into some computers. Gateway applications scan incoming e-mails, block those containing a virus, and often send an e-mail back to the sender of the viral e-mail – who is usually an innocent party.
Anti-virus firm Sophos recommends "that users do not respond to e-mails from auto-responders accusing them of being infected and spreading the Sobig-F worm. However, they should consider double-checking their computers for the latest viruses just in case they are genuinely infected".