Worm targets Windows flaw, patch site

San Jose Mercury News ^ | Aaron Davis and Kristi Heim

[HAL9000]

A virus-like computer attack that began spreading across the Internet and crashing computer networks Monday is expected to infect hundreds of thousands of computers worldwide in coming days.

By Saturday, it may reach a climax when it's programmed to direct all infected computers to attack a security-related Microsoft Web site, computer security experts said.

The target Web site, www.windowsupdate.com, is used by millions of Microsoft users each week to automatically update computers with the latest anti-virus software and patches.

It's unclear how much damage might be caused by the computer worm, already dubbed LoveSan, Blaster and MSBlaster. But security experts said it is similar in structure to the ``Code Red'' virus that affected 300,000 computers and caused an estimated $1.2 billion in cleanup costs in July 2001.

MSBlaster targets a flaw in Microsoft Windows operating systems that the U.S. Department of Homeland Security singled out earlier this month for an unprecedented series of warnings. In two public advisories, federal officials said they believed a sophisticated attack on the software flaw could disrupt as many as 75 percent of all computers linked to the Internet.

As of Monday evening, anti-virus software maker Symantec of Cupertino said it had confirmed about 60,000 infected computers. The attack was expected to spread overnight, possibly to Asia.

Targeted computers

Microsoft had acknowledged the software flaw July 16 and issued a patch for customers to download from the company's Web site. Before Monday's attack, however, Microsoft had declined to say how many users had downloaded the patch, leaving unclear how many computers are still vulnerable to attack.

MSBlaster targets four versions of Windows operating systems: Windows NT, Windows 2000, Windows XP and Windows Server 2003. The worm attacks computers through a flaw in the part of Windows that handles Internet traffic and lets computers share files, among other activities.

Unlike a virus, MSBlaster is considered a computer ``worm'' because it does not require computer users to open an e-mail attachment or take any other action to spread automatically from computer to computer. Home computer users who leave computers constantly online to the Internet through DSL or cable are among those most at risk.

Alfred Huger, senior director of Symantec Security Response, said for now the worm appears to be targeting Windows XP systems about 80 percent of the time. When the worm affects an XP system it often reboots the computer and prompts a warning box to display on the screen.

Users of other systems, like Windows 2000, however, may not get any overt warning that their computers have been infected. Users should monitor to see if their Web access becomes sluggish or look for unusually high CPU readings, Huger said.

The worm is designed to launch an attack called ``denial-of-service'' that could disable the Microsoft Update Web site Saturday, said Johannes Ullrich, chief technology officer at the Internet Storm Center at the Bethesda, Md.-based SANS Institute. That's one month after the company first published the patch intended to guard against an attack.

Microsoft spokesman Sean Sundwall said it was hard to say how reliable the predictions were regarding Saturday's attack. ``But we're taking it on its word,'' Sundwall said.

The denial-of-service attack is programmed to continue until the end of the month and restart again every month on the 16th, Huger said. The worm will be almost impossible to trace and could continue to infect computers for years to come, security officials warned. More than two years after its release, Code Red continues to infect an estimated 10,000 computers each day.

Encrypted message

The Windows Update Web site may have appeared to experience a slowdown Monday, but that could have been because of heavy traffic from people trying to get the patch, Sundwall said.

In addition to the attack date coinciding with the one-month anniversary of Microsoft's release of the patch, encrypted in the worm were strings with messages clearly aimed at Microsoft founder Bill Gates, according to Ullrich.

``billy gates why do you make this possible ? Stop making money and fix your software!!''

[Bush2000]

``billy gates why do you make this possible ? Stop making money and fix your software!!''

Linux Marxists at work...

[onyx]

What would constitute an unusally high CPU reading?

[paul544]

Depends on what you have running but at idle, you shouldn't read any more than a few %.

[goldstategop]

A firewall should keep you safe. Keep your anti-virus definition files up to date. Get free tools from http://grc.com to turn off raw sockets and universal plug and play services to keep out hackers. And don't download any suspicious files from sources you don't trust. Taken all together these four simple steps should keep your computer virus and trojan horse free.

[stlnative]

Well I got it... I am running 2000Pro on Dial-Up and I am running 3 firewall programs, it still got through without my knowledge. I checked to see if I had it after reading a different FR thread that was posted about it, sure enough it was on my system. I had to update my virus scan software and it detected it and then removed it for me.

Do a file search for for MSBlaster.exe and see if it pops up, if it does update your virus software and run it. If you have it but do not have a virus protector, go to http://www.grisoft.com and download the free version of AVG, after you download it, run the software update for it and it will install the latest updates for it, then run AVG for a full virus check (after you have downloaded the software and updated it) and it will detect it and remove it for you.

I had it on my system and my computer was "not" shutting down like other people who also had it. My computer was operating fine, but I decided to check for it and sure enough it was there.

[onyx]

Thank you for your kind response! Much appreciated.

[Nataku X]

One article on news.google.com says port 134. Another says port 4444. Recorded tons & tons of hits on port 2034 since a couple of days ago. What's the straight dope?

[AppyPappy]

Port 137 is getting pounded on my machine.

[TechJunkYard]

Linux Marxists at work...

Prove it... or retract.

[ShadowAce]

Linux Marxists at work...,p> Why should Linux users care? We don't get infected by Windows virii...

[rdb3]

No need to ask for a retraction. You know you won't get it, nor the admission that the software does indeed need to be fixed.

[Bush2000]

Prove it... or retract.

Their statement is a dead giveaway: The "software must be free" crowd has a problem with anybody who wants to profit from software sales.

[r9etb]

Bump for later

[TechJunkYard]

The "software must be free" crowd has a problem with anybody who wants to profit from software sales.

Not true... the problem they have is with companies which use dishonest and illegal means.

However, your deflection won't work. You have asserted that a Linux hacker wrote and/or released this worm. If you have proof of this, I want to see it, otherwise shut your hypocritical face. You wouldn't let any of us get away with such accusations against Microsoft.