'Children Of Blaster''Children Of Blaster'

Tech-security pros knew a worm was coming, once Microsoft announced in July a serious security vulnerability in the most-current versions of its Windows operating system. The worm arrived last week in the form of Blaster, or LoveSan, a virus that infected more than a million systems and clogged corporate networks.

Now they know what's likely to come next: New attacks and variants that use the Blaster worm's approach and create more-destructive strains. "I'm now more concerned about the children of Blaster," says Alfred Huger, senior director of engineering at security software maker Symantec Corp.

Blaster followed what's become a common pattern: a virus author builds a worm to exploit a known flaw, and it succeeds because many people never install the patch to eliminate the vulnerability. The worm targeted at-risk Windows operating systems used by both home users and businesses.

McAfee Security estimates 1.4 million systems were infected last week, but that tally may go much higher, especially if variants succeed. Millions of computer systems likely remain unpatched, says Dan Ingevaldson, engineering manager for the security research group X-Force at Internet Security Systems Inc. By late last week, variants of the worm, ranging from changes in its name to minor tweaks in its code, began to surface. "All it takes is someone to grab the code and tweak it to make it better, faster, and much more destructive," Ingevaldson says.

Remember Code Red, the worm that wreaked havoc on the Internet in the summer of 2001? The one that caused the damage was actually Code Red II. It was an optimized variant of the original that swept through hundreds of thousands of vulnerable systems running Microsoft's Internet Information Services in a matter of hours.

Blaster actually wasn't that destructive a worm, Ingevaldson says. It doesn't work every time, and it crashes many victim's systems, which limits how quickly and widely it spreads. Ingevaldson says a more dangerous version would spread faster, not crash infected systems, and contain means to steal or destroy data: "It doesn't take much to make these worms more destructive."