Computer Infection Snarls Global Networks

Despite an easy fix, the Blaster worm disabled tens of thousands of computers worldwide Tuesday, bringing some businesses to a halt.

NEW YORK (AP)—The latest Internet attack on Microsoft operating systems by rogue software disabled tens of thousands of computers worldwide on Tuesday, though a fix had been available for nearly a month.

The virus-like worm, dubbed "LovSan" or "blaster," snarled corporate networks with an inundation of data packets and frustrated home computer users unversed in techie triage.

It forced Marylands motor vehicle agency to close for the day and kicked Swedish Internet users offline as it spread, the worm triggering Windows computers to shut down and restart.

Security experts said the world was lucky this time around because LovSan is comparatively mild and doesnt destroy files. They worry that a subsequent attack exploiting the same flaw—one of the most severe to afflict Windows—could be much more damaging.

"We think were going to be dealing with it for quite some time," said Dan Ingevaldson, engineering manager at Internet Security Systems Inc. in Atlanta.

Although LovSan did not appear to do any permanent damage, Ingevaldson said instructions to do just that could easily be written into a worm that propagates in the same way.

On July 16, Microsoft Corp. posted on its Web site a free patch that prevents LovSan and similar infections. The underlying flaw affects nearly all versions of the software giants flagship Windows operating system.

Notwithstanding high-profile alerts issued by Microsoft and the Department of Homeland Security, many businesses did not install the patches and scrambled Tuesday to shore up their computers.

Security experts say patches often stay on "to do" lists until outbreaks occur.

"Youre looking at 70 new vulnerabilities every week," said Sharon Ruckman, senior director at the research lab for anti-virus vendor Symantec Corp. "Its more than a full-time job trying to make sure you are up to date."


Microsoft spokesman Sean Sundwall acknowledged that the blame does not really lie with customers.

"Ultimately, its a flaw in our software," he said.

The latest infection was dubbed "LovSan" because of a love note left behind on vulnerable computers: "I just want to say LOVE YOU SAN!"

Researchers also discovered another message hidden inside the infection that appeared to taunt Microsofts chairman: "billy gates why do you make this possible? Stop making money and fix your software!"

Tracing its origins will be difficult because the worm left few clues in the form of hidden greetings to friends, said Marc Maiffret, co-founder of eEye Digital Security. The worm appeared based on code released earlier by a Chinese research group that goes by Xfocus, Maiffret said.

Non-Microsoft systems were not vulnerable, though some may have had trouble connecting with Web sites, e-mail and other servers that run on Windows.

Symantecs probes detected more than 125,000 infected computers worldwide.

The worm exploits a flaw in Windows used to share data files across computer networks. It was first reported in the United States on Monday and spread across the globe as businesses opened Tuesday and workers logged on.

Additional U.S. computers were hit Tuesday, and Marylands Motor Vehicle Administration shut all its offices at noon.

"Theres no telephone service right now. Theres no online service right now. Theres no kiosk or express office service," spokeswoman Cheron Wicker said. "We are currently working on a fix and expect to be operational again in the morning."

In Sweden, Internet provider TeliaSonera said about 20,000 of its customers were affected after the infection clogged 40 servers that handled Internet traffic.

Among companies affected in Germany was automaker BMW, said spokesman Eckhard Vannieck. He said the problems did not affect production.

Symantec, F-Secure Corp. and other anti-virus companies have free tools for removing the worm.

All Windows users, whether their computers were infected or not, were encouraged to obtain a fix from Microsofts Web site. Anti-virus and firewall products should also be updated, security experts say.


Larger companies typically have firewalls that can stem attacks, but once a worm gets inside a firewall, unprotected computers are vulnerable.

Employees connecting from home or taking infected laptops to the office can allow the worm to easily penetrate a companys defenses, said Russ Cooper, a senior researcher at TruSecure Corp.

But to expect home users to keep their systems current is unreasonable, said Bruce Schneier, chief technology officer with Counterpane Internet Security Inc. He blames software developers for writing bad software that constantly need "critical" patches.

"My mother will never install the patch until I come visit," he said. "I couldnt even call her and walk her through it. The industry is wrong to expect her to do it. The fact that she sends me e-mail is incredible enough."