Windows worms wreak havoc
Published: 17 Aug 2005 10:15 BST
Network worms are shutting down computers running Microsoft's Windows 2000 operating system, security experts warned on Tuesday.
Computers across the United States are being hit, including those at cable news station CNN, television network ABC and The New York Times. Tokyo-based antivirus company Trend Micro blames the havoc on various worms, including the Zotob worm that hit the Internet over the weekend and new variants of the Rbot worm.
All of the worms exploit a security hole in the plug-and-play feature in the Windows 2000 operating system. Microsoft offered a fix for the bug as part of its monthly patching cycle last week. The software maker deemed the issue "critical", its most serious rating.
"It seems like every couple of minutes a new variant comes in. We cannot pinpoint the infections to one variant," said Joe Hartmann, director of the antivirus research group at Trend Micro. "We are still gathering infection reports. It is coming globally."
Symptoms of infection include the repeated shutdown and rebooting of a computer, Trend Micro said.
Microsoft is investigating the reports of the worm outbreak, the company said in a statement. It lists "Worm_Rbot.CEQ," an Rbot variant, as the possible cause of the trouble.
Inside job
The multiple worms are hitting individual organisations rather than computer users at large, said Johannes Ullrich, chief research officer at the SANS Institute, an Internet security training and research outfit.
"These worms are not having an impact on the Internet," Ullrich said. "They do have a substantial effect on organisations running Windows 2000 without last week's Microsoft patch installed."
The pain is being felt "on the inside", agreed David Cole, the director of product management at Symantec Security Response. The worms might slither onto the networks of companies with Windows 2000 systems from an infected laptop that has been used outside the corporate firewall, for example, he said.
"It gets inside an organisation and then it bounces around and wreaks havoc," Cole said.
The New York Times has been hit by the virus, but the assault has not impacted the delivery of the news, said a spokeswoman for the publication.
"The Web site was not affected and newspaper production will not be affected," the representative said. The internal systems of the paper are "operational", the representative added, but she did not state what degree of impact the worm had had on its internal operations.
Walt Disney's ABC News and Time Warner's CNN confirmed in postings to their Web sites that their computers had been hit.
Which worm is responsible?
Experts have different opinions on the cause of the latest infections. The SANS Internet Storm Centre, which tracks network threats, attributes Tuesday's trouble to Zotob, which keeps mutating and finding new victims. "As seen with prior TCP worms, it is reaching its peak around three days after the outbreak," SANS said on its Web site.
The security issue exploited by the worm also affects the newer Windows XP and Windows Server 2003, but only PCs running Windows 2000 are susceptible to a remote attack, Microsoft has said.
There are desktop and server versions of Windows 2000, which was released in 2000 for business users rather than consumers. More recent editions of Windows are available, but Windows 2000 remains popular. The operating system ran on 48 percent of business PCs during the first quarter of 2005, according to a recent study by AssetMetrix.
The onslaught of worms based on the plug-and-play flaw appeared less than a week after Microsoft's patch release, leaving users very little time to protect their systems.
Many Windows 2000 users are likely to have not patched yet since they need time to test the fixes before installing them, Ullrich said.
Although there are several worms that exploit the Windows plug-and-play flaw, the spread remains limited, Cole said. "We are not seeing any one of these really soaring or escalating to something like a Blaster or Slammer," he said. Symantec has elevated its ThreatCon rating from one to two, with five being the highest.
Trend Micro has rated the worm attack "yellow," which is in the middle of its alert range. The security company has seen thousands of infections from Zotob alone, Hartmann said.
Infected machines can be cleaned up using tools available from antivirus software makers, including Symantec. Windows 2000 users who have not patched, should do so, Microsoft urges.
CNET News.com's Michael Kanellos contributed to this report.
Did you find this article useful?
121 out of 192 people found this useful
- Share this article:
