Net Worm Causes Some More Disruptions

AP Internet Writer

NEW YORK – A virus-like Internet worm that had crippled tens of thousands of computers over the weekend caused limited network disruptions Monday as employees returned to work.

Though the worm had been largely contained by Saturday evening, security experts saw a slight increase in attacks Monday as the work days began in Asia and Europe.

“There seems to be lots of computers which were off during the weekend and are now turned on,” said Mikko Hypponen, manager of antivirus research at F-Secure Corp. in Finland.

Internet Security Systems Inc. of Atlanta saw another wave begin shortly after 9 a.m., corresponding to U.S. business hours.

The latest attacks, however, were nowhere near in intensity that of Saturday’s outbreak, which had congested the network for countless Internet users and even disabled Bank of America cash machines.

Meanwhile, officials said Monday they still did not know its origins.

“It’s going to take at least a few days to (analyze) data coming in,” said Tiffany Olson, spokeswoman for President Bush’s Critical Infrastructure Protection Board. “A lot of times, this will take weeks, months, potentially years and we may never know.”

The worm, variously known as slammer or sapphire, took advantage of a vulnerability in some Microsoft Corp. software that had been discovered in July.

Microsoft had made software updates available to patch the vulnerability in its SQL Server 2000 software — used mostly by businesses and governments — but many system administrators had yet to install them when the attack hit Saturday.

As the worm infected one computer, it was programmed to seek other victims by sending out thousands of probes a second, saturating many Internet data pipelines.

Unlike most viruses and worms, it spread directly through network connections and did not need e-mail as a carrier. Thus, only network administrators who run the servers, not end users, could generally do anything to remedy the situation.

However, many machines may have been overlooked in the repairs because they run related programs, Microsoft Desktop Engine or Data Engine, that reside on individual desktops or laptops.

“While the weekend focus was on servers, now the problems persist in desktop machines,” said Russ Cooper, a security analyst at TruSecure Corp.

He said users can get rid of the worm by simply turning off the machine, but he suggests users then contact their network managers to prevent getting it again.

Chris Rouland, director of the Internet Security Systems’ X-Force research arm, said the biggest effect Monday was primarily on specific corporations and organizations, unlike Saturday when the Internet as a whole was disrupted.

A small number of home users could be affected if they run certain applications using Desktop or Data Engine, particularly through high-speed lines, he said.

The disruptions were greater in South Korea, where computer security is generally lax, Rouland said.

Internet service in South Korea was “stable” though not at 100 percent early Monday, said Woo Do-shik, a spokesman for South Korea’s Information and Communication Ministry.

South Korean President Kim Dae-jung ordered agencies to come up with restoration and contingency plans, said his chief spokesman, Park Sun-sook.

The weekend’s Internet attack had security experts worried that too many system managers are only fixing problems as they occur, rather than keeping their defenses up to date.

Like the latest worm, two of the previous major outbreaks, Code Red and Nimda, also exploited known problems for which fixes were available.

“There was a lot that could have been done between July and now,” said Howard A. Schmidt, President Bush’s No. 2 cybersecurity adviser. “We make sure we have air in our tires and brakes get checked. We also need to make sure we keep computers up-to-date.”