Windows Worm: Long Wait for Fix

Microsoft has the cure for the Blaster worm, but users face traffic snarls as they try to download.

Computer users were scrambling Wednesday for alternate fixes for the havoc wreaked by the Blaster worm as many people were unable to reach Microsoft Corp.’s main patch download site.

The Windows Update Web site, through which users can automatically download security patches and other software fixes, was extremely sluggish most of Tuesday afternoon and Wednesday morning, and some users reported being unable to reach the site at all. Officials at Microsoft said they’ve seen an increase in traffic as customers swarm the site looking for the patch to prevent Blaster infections.

“We’ve definitely seen an uptick in traffic, but there have been no outages on the site,” said Stephen Toulouse, security program manager at the Microsoft Security Response Center in Redmond, Wash.

The Blaster worm, also known as LoveSan, began infecting Windows NT, 2000 and XP machines Monday afternoon and has been spreading rapidly ever since. The worm exploits a vulnerability in the Windows RPC (Remote Procedure Call) service and sucks up a lot of bandwidth scanning for other vulnerable machines once it has infected a PC.

Microsoft made a patch available for the flaw in mid-July when the vulnerability was first disclosed, and those people who waited until now to apply it are running into serious problems. Between the slow response on the WU site and the fact that infected XP machines fall into a continuous reboot cycle once the RPC service fails, many users have been unable to download the fix. Users can also download the patch from the Download Center at Microsoft’s main Web site.


There are some other alternatives for cleaning up Blaster, though. On XP machines, users can enable the Internet Connection Firewall, which blocks the worm’s activity, and then try to download the patch. Users running other operating systems can install other personal firewalls or follow a set of steps to disable the DCOM (Distributed Component Object Model) service in Windows to prevent infection by Blaster, and then install the patch, according to officials at the CERT Coordination Center.

However, on machines running Windows 2000 Service Pack 1 or 2, this method does not completely disable DCOM, security experts said.

In addition to causing major head-aches for users and IT staffs, Blaster is also being blamed for some service problems on Comcast Corp.’s cable modem network. Several Comcast customers said their service had been down for extended periods during the last couple of days and that Comcast officials said Blaster was to blame.