Windows 2000 Worms Still Spreading

Malicious software that takes advantage of a recently disclosed vulnerability in Microsoft's Windows operating system has spread rapidly and has now infected more than 250,000 systems, primarily Windows 2000 systems being run in corporate environments, according to security vendor Computer Associates International.

The worms received widespread media attention after CNN reported that it had been affected by the problem, but on Wednesday representatives from companies that had been affected downplayed the level of disruption.

Because of the design of the worms, they have largely left home users unaffected and have instead focused on spreading within corporate networks, according to security experts interviewed this week.

Businesses Hit

An undisclosed number of internal systems at telecommunications provider SBC Communications were affected by the worms, beginning late Tuesday, says Wes Warnock, an SBC spokesperson, but the outages had no effect on the company's voice or data networks, he adds.

"It's almost a non-issue. SBC is like any company that was running Windows 2000 and didn't have the patches," he says.

American Express was also hit, according to company spokesperson Judy Tenzer. "We did experience some issues with some of our computer desktops and much of that has now been resolved," she says. On Wednesday morning, some systems within the company's call center were unavailable because of the outages.

Media outlets have been among the hardest hit by the worm. The New York Times confirmed Wednesday that some of its systems had been infected, and the ABC television network, a unit of Walt Disney, is also reported to have been hit.

While CA is now estimating that more than 250,000 systems have been affected by different variants of the plug-and-play worms, these attacks have received special attention because they have hit media outlets, according to Sam Curry, vice president of CA's eTrust Security Management division. In the past, lesser-reported attacks have hit similar numbers of computers, he says.

"We see numbers climb out into the hundreds of thousands and it never gets attention," he says. "Who gets affected will influence how much publicity this gets."

Low to Medium Threat

CA is rating the viruses as a low to medium threat and most of its customers have not generally been widely affected by them, Curry says. "We have little to no escalations from customers that have been affected by it," Curry says. "We have no one saying, 'Oh my God I'm in trouble,' but we do have customers calling up and saying what do I need to know?"

However, McAfee's antivirus response team raised its risk assessment to "high" for one worm variant, called IRCBot worm. Late Tuesday it said it had received more than 150 reports of the worm either being stopped or infecting users' PCs, mostly in the U.S. but also from Europe and Asia.

By Wednesday, Symantec customers had reported just over 230 instances of the worms, the company says. This was far less than the thousands of reports that the company had received on highly publicized worm outbreaks such as last year's Sasser worm, Symantec says.

It's certainly not a Sasser; it's certainly not a Slammer," says Russ Cooper, senior information security analyst for Cybertrust. "Our recommendation to our customers is to get patches applied within 90 days, because the normal mechanisms should prevent this from getting to your organization."

According to Cooper, the best way for corporations to protect themselves from these attacks is to ensure that they secure all the devices that connect to their networks. "These things are getting in through VPN users or though home or traveling users," he says. "This is a common failing in organizations ... they have protection at a gateway, but meanwhile they let their home users connect via VPN."

The worms all stem from a vulnerability reported August 9 in Microsoft's Windows 2000 Plug and Play service. They will cause infected systems to reboot and infected systems are then instructed to download a variety of malicious software that is then used to attack other systems, antivirus vendors says.

Microsoft's Web page, "What you should know about Zotob," includes links to the patch and was updated Tuesday.

Customers in the U.S. and Canada who think they have been infected can call Microsoft's Product Support Services at 1-866-PCSAFETY, Microsoft says. There is no charge for calls to do with security update issues or viruses, it said. International customers should refer to its Security Help and Support for Home Users Web site, it says.