A computer worm that silently attacks vulnerable Windows computers continued to infect machines around the globe Wednesday, mystifying many whose only hint of trouble came when their computers suddenly began restarting. About 275,000 computers were infected and actively spreading the worm at 7 p.m. ET Wednesday — but some experts said they believed close to 1 million computers had been hit by the worm during the past 48 hours. Still, the spread of MSBlaster was slowing, experts said.
MSBlaster is not spreading as fast as some other well-known worms, like January’s “Slammer.” But it has clearly taken its toll on users, both at home and at work. In one high-profile incident, the worm forced the closing of all Maryland Department of Motor Vehicles offices on Tuesday.
“There is still a steady stream of customers telling us they are seeing it,” said Vincent Gullotto, spokesperson for Network Associates, Inc. “Now we are getting a better idea what the damage has really been.”
It’s hard for experts to say just how many computers were infected at one time or another, Gullotto said. But his firm is estimating about 865,000. Sophos PLC spokesman Chris Belthoff was less specific, but said infections were certainly “in the hundreds of thousands.”
While the rate of the worm’s spread has slowed, experts are concerned MSBlaster might have a slow, steady burn, and continue to infect vulnerable machines for months.
The worm, also known as LovSan, attacks a widespread security flaw found in Microsoft Windows last month. Experts had been predicting an outbreak since the flaw was revealed.
(MSNBC is a Microsoft-NBC joint venture.)
Unlike most viruses, which arrive via e-mail messages, MSBlaster is stealthy. It simply sneaks onto computers connected to the Internet that haven’t been patched for the Windows flaw.
“This worm is different in the respect that there’s is nothing the person is doing to trigger this,” said Dee Liebenstein, group product manager for antivirus firm Symantec. But the worm immediately restarts infected machines; on some occasions, the worm restarts the machine repeatedly, about once a minute. Users who observe such a shutdown should immediately follow steps to remove the worm.
Home users are at greater risk, experts say, because they generally don’t download and install security patches. But early on, infections were reported equally from home and corporate users, Liebenstein said. At 7 p.m. ET Wednesday, 275,000 computers were scanning the Internet trying to infect other machines, indicating that many computers were infected, Symantec said.
“It’s dangerous from the perspective that it can consume a lot of bandwidth,” said Russ Cooper of TruSecure Corp. “Every compromised machine is constantly attacking.”
So many computers are infected and scanning the Internet for more victims that the average Net-connected computer be attacked in under an hour, said Symantec’s Oliver Friedrichs.
“As soon as you connect to the Internet you are exposed. It’s a race to get the patch installed,” he said. “If you are online you are guaranteed to be hit within 25 minutes.”
WindowsXP users should consider enabling the firewall which comes with the operating system before they download the patch, he said. Others should download the patch, then check for signs that their system is infected by searching for a file named “MSBlast.exe.”
Installing the Microsoft patch after an infection does no good; at that point victims have to first remove the virus, then install the patch. Instructions on how to do so are provided here.
‘Buggy' worm
Still, experts said damage from the outbreak was limited. Cleanup and recovery from infection are relatively easy, and the worm isn’t designed to delete files or do anything malicious to infected machines.
Craig Schmugar, virus researcher with Network Associates Inc., said its spread was limited because the worm is “buggy,” which considerably slowed its effectiveness. While the constant crashing and restarting is annoying to individual victims, it hampers the worm’s progress, Schmugar said.
“By that nature that hurts its chances,” he said. “A different version of the virus could have been a lot worse.”
And in fact, two variants of the worm have already been released, with the program changed slightly in an attempt to evade antivirus detection. But neither variant has begun to spread, according to Symantec.
Meanwhile, Cooper said he was concerned that the worm might get a bit of a second life later this week when Internet service providers turn off special filters they’ve implemented temporarily to cut off MSBlaster.
“We’ve seen that before,” he said.
The worm first emerged late Monday carrying a message for the Microsoft chairman: “Billy Gates why do you make this possible? Stop making money and fix your software!!”
Blaster zeroes in on computers running Windows 2000, Windows XP, Windows NT 4.0 and Windows Server 2003 operating systems, Microsoft said. Once Blaster infects a computer, it scans the Internet for other vulnerable machines to infiltrate.
The worm has been timed to attack a Microsoft security Web site later this month. Microsoft urged computer users to visit to download the patch to protect their system.
Most experts believe Saturday’s attack won’t succeed, because Microsoft has so much time to prepare for it. But it could cause spotty slowdown in Internet access, Friedrichs said.
“Certainly there is some risk. We’re really unclear of what the impact will be,” he said. “Every system infected will launch the attack.”
Reuters contributed to this story.