Editing Blaster (computer worm) (section)

== Timeline ==
*May 28, 2003: Microsoft releases a [[Patch (computing)|patch]] that would protect users from an exploit in WebDAV that [[Welchia]] used. (Welchia used the same exploit as MSBlast but had an additional method of propagation that was fixed in this patch. This method was only used after 200,000 RPC DCOM attacks - the form that MSBlast used.)<ref>{{cite web |title=The Welchia Worm |pages=14, 17 |url=https://www.giac.org/paper/gcih/517/welchia-worm/105720 |format=PDF |date=2003-12-18 |first=Gene |last=Bransfield |access-date=2018-11-03}}</ref><ref>{{cite web |title=Buffer Overrun in Windows Kernel Message Handling could Lead to Elevated Privileges (811493) |url=https://docs.microsoft.com/en-us/security-updates/securitybulletins/2003/ms03-013 |access-date=2018-11-03}}</ref>
*July 5, 2003: Timestamp for the patch that Microsoft releases on the 16th.<ref name="support.microsoft.com"/>
*July 16, 2003: Microsoft releases a patch that would protect users from the yet unknown MSBlast. At the same time they also released a bulletin describing the exploit.<ref name="support.microsoft.com"/><ref>{{cite web |title=Flaw In Microsoft Windows RPC Implementation |url=http://www.iss.net/threats/147.html |date=2003-07-16 |url-status=dead |archive-url=https://web.archive.org/web/20160304023343/http://www.iss.net/threats/147.html |archive-date=2016-03-04}}</ref>
*Around July 16, 2003: White hat hackers create proof-of-concept code verifying that the unpatched systems are vulnerable. The code was not released.<ref name="able2know" />
*July 17, 2003: CERT/CC releases a warning and suggests blocking port 135.<ref name="cert.org">{{cite web |url=http://www.cert.org/historical/advisories/CA-2003-16.cfm |title=Buffer Overflow in Microsoft RPC |url-status=dead |archive-url=https://web.archive.org/web/20140715013109/http://www.cert.org/historical/advisories/CA-2003-16.cfm |archive-date=2014-07-15 |date=2003-08-08 |access-date=2018-11-03}}</ref>
*July 21, 2003: CERT/CC suggests also blocking ports 139 and 445.<ref name="cert.org"/>
*July 25, 2003: {{Proper name|xFocus}} releases information on how to exploit the RPC bug that Microsoft released the July 16 patch to fix.<ref>{{cite web|title=The Analysis of LSD's Buffer Overrun in Windows RPC Interface |url=http://www.xfocus.org/documents/200307/2.html |date=2003-07-25 |url-status=dead |archive-url=https://web.archive.org/web/20180217063837/http://www.xfocus.org/documents/200307/2.html |archive-date=2018-02-17 |access-date=2018-11-03}}</ref>
*August 1, 2003: The U.S. issues an alert to be on the lookout for malware exploiting the RPC bug.<ref name="able2know" />
*Sometime prior to August 11, 2003: Other viruses using the RPC exploit exist.<ref name="ISSLifecycle" />
*August 11, 2003: Original version of the worm appears on the Internet.<ref name="infoworld.com">{{cite news |title=Blaster worm spreading, experts warn of attack |url=https://www.infoworld.com/article/2677291/security/blaster-worm-spreading--experts-warn-of-attack.html |date=2003-08-12 |first=Paul F. |last=Roberts |newspaper=InfoWorld |access-date=2018-11-03}}</ref>
*August 11, 2003: Symantec Antivirus releases a rapid release protection update.<ref name="Symantec" />
*August 11, 2003, evening: Antivirus and security firms issued alerts to run Windows Update.<ref name="infoworld.com"/>
*August 12, 2003: The number of infected systems is reported at 30,000.<ref name="infoworld.com"/>
*August 13, 2003: Two new worms appear and begin to spread. (Sophos, a variant of MSBlast and W32/RpcSpybot-A, a totally new worm that used the same exploit)<ref>{{cite web |title=New Blaster worm variant on the loose |url=https://www.infoworld.com/article/2677200/application-development/new-blaster-worm-variant-on-the-loose.html |date=2003-08-13 |first=Paul F. |last=Roberts |publisher=InfoWorld |access-date=2018-11-03}}</ref>
*August 15, 2003: The number of infected systems is reported at 423,000.<ref>{{cite web |title=Blaster worm attack a bust |url=https://www.infoworld.com/article/2677039/security/blaster-worm-attack-a-bust.html |date=2003-08-18 |first=Paul F. |last=Roberts |publisher=InfoWorld |access-date=2018-11-03}}</ref>
*August 16, 2003: DDoS attack against windowsupdate.com starts. (Largely unsuccessful because that URL is merely a redirect to the real site, windowsupdate.microsoft.com.)<ref name="infoworld.com"/>
*August 18, 2003: Microsoft issues an alert regarding MSBlast and its variants.<ref>{{cite web |title=Virus alert about the Blaster worm and its variants |url=https://support.microsoft.com/en-us/help/826955 |publisher=Microsoft Corporation |work=Microsoft Support |access-date=2018-11-03}}</ref>
*August 18, 2003: The related [[Anti-worm|helpful worm]], [[Welchia]], appears on the internet.<ref name="SymantecWelchia">{{cite web |title=W32.Welchia.Worm |url=https://www.symantec.com/security-center/writeup/2003-081815-2308-99 |archive-url=https://web.archive.org/web/20180903194250/https://www.symantec.com/security-center/writeup/2003-081815-2308-99 |url-status=dead |archive-date=September 3, 2018 |date=2017-08-11 |access-date=2018-11-03 |publisher=Symantec}}</ref>
*August 19, 2003: Symantec upgrades their risk assessment of Welchia to "high" (category 4).<ref>{{cite news |last=Naraine |first=Ryan |title='Friendly' Welchia Worm Wreaking Havoc |url=http://www.internetnews.com/ent-news/article.php/3065761/Friendly+Welchia+Worm+Wreaking+Havoc.htm |access-date=2018-11-03 |publisher=InternetNews.com |date=2003-08-19}}</ref>
*August 25, 2003: McAfee lowers their risk assessment to "Medium".<ref name="Virus Profile: W32/Lovsan.worm.a">{{cite web |title=Virus Profile: W32/Lovsan.worm.a |url=https://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=100547 |date=2003-08-11 |publisher=[[McAfee]] |access-date=2018-11-03}}</ref>
*August 27, 2003: A potential DDoS attack against HP is discovered in one variant of the worm.<ref name="Symantec" />
*January 1, 2004: Welchia deletes itself.<ref name="SymantecWelchia" />
*January 13, 2004: Microsoft releases a stand-alone tool to remove the MSBlast worm and its variants.<ref>{{cite web|title=A tool is available to remove Blaster worm and Nachi worm infections from computers that are running Windows 2000 or Windows XP |url=http://support.microsoft.com/kb/833330 |url-status=dead |archive-url=https://web.archive.org/web/20140806204101/http://support.microsoft.com/kb/833330 |archive-date=2014-08-06 |publisher=Microsoft Corporation |work=Microsoft Support |access-date=2018-11-03}}</ref>
*February 15, 2004: A variant of the related worm Welchia is discovered on the internet.<ref>{{cite web |title=W32.Welchia.C.Worm |url=https://www.symantec.com/security-center/writeup/2004-021513-4624-99 |archive-url=https://web.archive.org/web/20181103214906/https://www.symantec.com/security-center/writeup/2004-021513-4624-99 |url-status=dead |archive-date=November 3, 2018 |publisher=Symantec |date=2007-02-13 |access-date=2018-11-03}}</ref>
*February 26, 2004: Symantec lowers their risk assessment of the Welchia worm to "Low" (category 2).<ref name="SymantecWelchia" />
*March 12, 2004: McAfee lowers their risk assessment to "Low".<ref name="Virus Profile: W32/Lovsan.worm.a"/>
*April 21, 2004: A "B" variant is discovered.<ref name="Virus Profile: W32/Lovsan.worm.a"/>
*January 28, 2005: The creator of the B variant of MSBlaster is sentenced to 18 months in prison.<ref>{{cite web |title=Minnesota Man Sentenced to 18 Months in Prison for Creating and Unleashing a Variant of the MS Blaster Computer Worm|url=https://www.justice.gov/criminal/cybercrime/press-releases/2005/parsonSent.htm |date=2005-01-28 |url-status=dead |archive-url=https://web.archive.org/web/20140714174209/http://www.justice.gov/criminal/cybercrime/press-releases/2005/parsonSent.htm |archive-date=2014-07-14 |access-date=2018-11-03}}</ref>