Version: 2008
  • On TechRepublic: Five super-secret features in Windows 7

August 16, 2005 3:44 PM PDT

Windows worms knocking out computers

  • 105 comments
Network worms that shut down computers running Microsoft's Windows 2000 operating system on Tuesday may be linked to competition between rival hackers, security experts said.

Computers across the United States have been hit, including those at cable news station CNN, television network ABC and The New York Times. Tokyo-based antivirus company Trend Micro blames the havoc on various worms, including the Zotob worm that hit the Internet over the weekend and new variants of the Rbot worm.

Some security researchers claim the outbreak is tied to a "war" between rival virus writers. "We seem to have a botwar on our hands," Mikko Hypponen, chief research officer at Finnish software security firm F-Secure said in a statement issued on Wednesday.

"There appear to be three different virus-writing gangs turning out new worms at an alarming rate, as if they were competing to build the biggest network of infected machines," he said.

All of the worms exploit a security hole in the plug-and-play feature in the Windows 2000 operating system. Microsoft offered a fix for the bug as part of its monthly patching cycle last week. The software maker deemed the issue "critical," its most serious rating.

CNET security center
Zotob prevention and cure
New worms attack vulnerable Windows 2000 and Windows XP SP1 machines.

"It seems like every couple of minutes a new variant comes in. We cannot pinpoint the infections to one variant," Joe Hartmann, director of the antivirus research group at Trend Micro, said on Tuesday. "We are still gathering infection reports. It is coming globally."

Symptoms of infection include the repeated shutdown and rebooting of a computer, Trend Micro said.

Microsoft is investigating the reports of the worm outbreak, the company said in a statement. It lists "Worm_Rbot.CEQ," an Rbot variant, as the possible cause of the trouble.

The company also sought to downplay the threat and said Windows 2000-based PCs running the latest patch are protected. "Zotob has thus far had a low rate of infection. Zotob only targets Windows 2000. Customers running other versions such as Windows XP, or customers who have applied the MS05-039 update to Windows 2000 are not impacted by this attack," the company said in a statement issued Tuesday.

Inside job
The multiple worms are hitting individual organizations rather than computer users at large, said Johannes Ullrich, chief research officer at the SANS Institute, an Internet security training and research outfit.

"These worms are not having an impact on the Internet," Ullrich said on Tuesday. "They do have a substantial effect on organizations running Windows 2000 without last week's Microsoft patch installed."

The pain is being felt "on the inside," agreed David Cole, the director of product management at Symantec Security Response. The worms might slither onto the networks of companies with Windows 2000 systems from an infected laptop that has been used outside the corporate firewall, for example, he said.

"It gets inside an organization and then it bounces around and wreaks havoc," Cole said.

The New York Times has been hit by the virus, but the assault has not impacted the delivery of the news, said a spokeswoman for the publication.

"The Web site was not affected and newspaper production will not be affected," the representative said. The internal systems of the paper are "operational," the representative added, but she did not state what degree of impact the worm had had on its internal operations.

Walt Disney's ABC News and Time Warner's CNN confirmed in postings to their Web sites that their computers had been hit.

Which worm done it?
Experts have different opinions on the cause of the latest infections. The SANS Internet Storm Center, which tracks network threats, attributes Tuesday's trouble to Zotob, which keeps mutating and finding new victims. "As seen with prior TCP worms, it is reaching its peak around three days after the outbreak," SANS said on its Web site.

The security issue exploited by the worm also affects the newer Windows XP and Windows Server 2003, but only PCs running Windows 2000 are susceptible to a remote attack, Microsoft has said.

There are desktop and server versions of Windows 2000, which was released in 2000 for business users rather than consumers. More

See more CNET content tagged:
Zotob worm, David Cole, worm, Microsoft Windows 2000, variant

Add a Comment (Log in or register) Showing 1 of 2 pages (105 Comments)
Full LIVE coverage on CNN!
by technewsjunkie August 16, 2005 3:56 PM PDT
The funny thing is, they had just switched out thier Apple Displays
and computers to Dells within the last couple of days! What timing.
Reply to this comment
CNN only complaining
by August 16, 2005 4:15 PM PDT
CNN was the only ones complaining for like 4 hours. All other networks, incruding Reuters hav been silent. Strange isn't it?
But the new Dell machines are not infected
by tbeckner August 16, 2005 5:24 PM PDT
But the new Dell machines are not infected. This worm attack is only against older Windows 2000 boxes, which no longer have support from Microsoft, but had a patch released that somebody forgot to install.
View all 2 replies
CNN should be Embarrassed
by tbeckner August 16, 2005 6:26 PM PDT
I just watched a delayed broadcast that my TiVo recorded of the Live CNN report about the WORLDWIDE WORM INFECTION. CNN should be Embarrassed. Their IT people could have patched them last week. The funny thing and maybe not so funny is that they reported it as something big and the infection will only infect unpatched/unprotected Windows 2000 machines.

Again, CNN should be Embarrassed!
O' Glorious Day! The Revolution is Televised!
by cjohn17 August 16, 2005 4:35 PM PDT
Oh how I luv it! Now MS virus attacks are now front and center,
not some nebulous debate in a nerdy forum.

If only FOX News had broadcast the issue live. With their larger
and much smarter audience (I mean that seriously, CNN is a
joke) Microsoft would never sell another copy of their crummy,
broken down OS.

O' Glorious Day!
Reply to this comment
Fox News
by SteveBarry687 August 16, 2005 4:45 PM PDT
Larger okay (haven't looked at audience numbers lately), but smarter. Ha hah ah aha hahaha ahha aha hah aha ha ahha ah.

I guess you would see them as smarter if your a right winger. CNN is right wing too.
View reply
Congrats. to the moronic masses!
by d2r4 August 16, 2005 5:01 PM PDT
I'd like to take this time to laugh at all those infected by the "W32.Zotob.D" virus... thats what you get for being morons, maybe you should update your software once in awhile.

Stop drooling and scratching your head, open up your eyes and learn about that which controls much of your life. Hopefully your raining ignorance does not destroy anything important in the mean time.
Reply to this comment
Hey Tron, Lighten Up
by cjohn17 August 16, 2005 7:37 PM PDT
I luv these "PC experts" who rain down dripping sarcasim on the
"ignorant masses" because the lowly cattle are not smart to
manage their computer systems.

You know, many of these poor folks that you have such distain
for have jobs, families, you know, real lives. They don't have the
time to invest in PCs like lonely geeks do. Balding saps sitting
under a dim 40 watt bulb in your tattered underwear, playing
Doom all day long, and going through bags of Cheetos.

Did it ever occur to you that perhaps we should be feeling sorry
for you? Investing all your time and energy in a failed operating
system? Think different, Tron. Go outside and play. You're
looking awfully pale and the human race needs you.
View all 2 replies
Get a Life, Tron
by cjohn17 August 16, 2005 7:47 PM PDT
That goes double for IT support too.
Nice.
by libertyaikido August 17, 2005 7:40 AM PDT
Apparently you have no idea what it takes to roll out updates to a corporate network when there are legal and technological considerations that must be addressed.

Only an idiot would activate Automatic Updates, on a Windows machine, on a corporate network (unless the updates are being pulled from a company controlled, local Windows Update server [after an intense, possibly long, period of testing]).

Thanks for playing. Try again.
View reply
Even with a warning Sign on it, some would still buy Windows
by educateme August 16, 2005 5:05 PM PDT
This is another one of the weekly, monthly, yearly, daily, hourly,
by the minute, reports about Windows with its high-tech
(insecure) bundling of Internet Explorer into the OS, and how it
has made eveyone pay for Microsofts greed. If they cant beat a
company like Netscape with good technology methods, then lets
screw our customers, since they dont know better anyway, and
mash the browser into the OS and let 'em fight for themselves. If
you keep buying into the next marketing ploy, or promise, of a
secure Microsoft system, you will keep fixing your PC jalopy,
while Bill Gates laughs all the way to the bank.

What can you do, you might ask? Perhaps buy a Mac, or build a
Linux PC, after all what is your time worth in life, if you can
avoid these constant (never ending) hassles with a troubled
Microsoft design that will keep milking you for life. With no end
in sight, get used to it, or get out of Windows. Now you know.
Reply to this comment
Funny thing, if everyone ran UNIX/Linux
by tbeckner August 16, 2005 5:27 PM PDT
Funny thing, if everyone ran UNIX/Linux, then the vitus writers would be attacking those machines. And if you don't think that UNIX/Linux has no security problems, then I guess your UNIX/Linux machine isn't patched. Even the noble MAC has security problems. It's just that it is too small of a market for the virus writers to attack.
View all 4 replies
There's an Idea!
by cjohn17 August 16, 2005 7:39 PM PDT
I like the idea of a warning sign on the packaging! "May cause total
loss of data."
View reply
you need to read the article again
by August 18, 2005 11:21 AM PDT
How is the security hole related to "mashing in IE with the OS"???

All of the worms exploit a security hole in the plug-and-play feature in the Windows 2000 operating system.
Just update morons
by wazzledoozle August 16, 2005 5:15 PM PDT
Of course they are going to be serious viru's when you have over %90 of the desktop market, everyone is targeting you with everything they have.

Microsoft needs to release a patch that turns on automatic updates permanently if it sees the computer hasnt been updated in over a month.
Reply to this comment
Microsoft needs to release a patch
by August 16, 2005 5:39 PM PDT
This is exactly what MS needs to do for network enabled machines. If a machines patch level falls too far behind, disable it's ability to communicate on a network until the user commits too do the updates and then only allow a connection to Microsofts update service until it has been fully patched.
View all 2 replies
Better Idea
by cjohn17 August 16, 2005 7:45 PM PDT
How about this... I think this would work even better. STOP
WRITING CRUMMY, SLOPPY, CODE.

That would solve everything.
Ahghghghghghghghgh
by Andrew J Glina August 16, 2005 6:02 PM PDT
I can feel it entering my computer, one transistor at a time.... With my last strength, I enter in A-P-P-L-E into the IE address bar and hit CTRL-ENTER. Must-Buy-Mac-Before-Too-Late......

Ooops. Just remembered. I have a firewall. Back to work.
Reply to this comment
CNN should be Embarrassed!
by tbeckner August 16, 2005 6:26 PM PDT
I just watched a delayed broadcast that my TiVo recorded of the Live CNN report about the WORLDWIDE WORM INFECTION. CNN should be Embarrassed. Their IT people could have patched them last week. The funny thing and maybe not so funny is that they reported it as something big and the infection will only infect unpatched/unprotected Windows 2000 machines.

Again, CNN should be Embarrassed!
Reply to this comment
Nice Try. A significant # of Businesses still using W2K
by technewsjunkie August 16, 2005 7:08 PM PDT
You are in Windows denial. Simply read the article again.
" ...but Windows 2000 remains popular. The operating system
ran on ***48 percent*** of business PCs during the first quarter
of 2005, according to a recent study by AssetMetrix."

Also it was CNN, New York Times, and ABC network that are
mentioned in the articel alone. How many more do you think
there are? Hint: There are still millions of W2k machines out
there, and these are typically not upated vigorously.

CNN was reporting LIVE giving quotes from Microsoft
representatives who claimed it was "low level". Do you think
these companies and others think it was "low level"?? MS means
its "low market share" so they can tell them to screw. Air time
costs hundreds of thousands, if not millions per minute of
broadcast time.
Reply to this comment
I Feel Bad for the Children and Eldery
by cjohn17 August 16, 2005 7:57 PM PDT
Just re-read the article again. How Gates and Balmer get any sleep
every night is beyond me. These "critical" situations are affecting
people's lives in dramatic ways... oh, wait...

Fortuantely, it mostly IT wonks and MS apologists that are staying
up late securing these OS dinosaurs. Serves 'em right.
Reply to this comment
Totally incorrect
by catchall August 16, 2005 8:21 PM PDT
I run a Window's network, I patched last week. I am now sitting comfortably at home, glass of wine in hand, wondering why others did not.
View reply
I feel bad for C.J....
by ledzep75 August 16, 2005 8:25 PM PDT
because Carl from GTA SA runs on Windows and he doesn't even know it!
Yet another reason to Use Linux.
by 202578300049013666264380294439 August 17, 2005 1:29 AM PDT
Thanks Microsoft, You just showed the entire World, Yet another reason to Use Linux.
Reply to this comment
Maybe things have changed
by Bob Brinkman August 17, 2005 6:52 AM PDT
It always amazes me that people that bash Microsoft and praise Linux have the time to read through Hardware compatibility lists to make sure they are going to be able to use their hardware, but turning on automatic updates or using a virus scanner is a hardship beyond bear.

Is there better hardware support then there was in these OS?s then there used to be yet? Then they might be worth considering, but probably not since I still couldn?t get half the apps I use to run on them.
View reply
Golly I love my Macs
by oo7curtis August 17, 2005 4:26 AM PDT
It's time like these that, well, no it's all the time. Yukkk on that
nasty windoze thang.
Reply to this comment
Maybe....
by Earl Benser August 17, 2005 4:26 AM PDT
.... this is an MS idea to get people to upgrade to XP or ellse??????

Who knows????? ;-)
Reply to this comment
Bingo
by Christopher Hall August 19, 2005 12:43 PM PDT
That's exactly what I was thinking when the story came out. Somehow, I doubt Microsoft would be above it. They do have some very talented programmers up their sleeves, after all.

Have you ever read the book "Jennifer Government" by Max Berry? The book (it's fiction) touches on the extent of corporate espionage and it's quite cleverly written. Although, in the book, Nike kills a few people to increase the value of some shoes. While not DIRECTLY correlated (yet!), it has a similar feel to it.
Snicker, Giggle
by August 17, 2005 7:03 AM PDT
It amuses me that big media, the liberal bastions of "we're smarter
than you are", are being hit by this worm hard.

I guess I should serve them some humble pie. Perhaps their IT
groups could bring cutlery and juice.
Reply to this comment
MicroLinux
by August 17, 2005 7:51 AM PDT
If only Microsoft would but a 1/10th of the money and energy they put toward Windows toward improving the user interface for Linux, their problems would be solved. A commercial version of Linux can work, and there will always be the free versions for us geeks.

As to the myth that the virus and worm writers target Windows because everyone uses it....thats BS! Viruses and worms are all about reputation in that world...no one gets paid to write a worm. The first person to write a sucessful Linux, Unix, or Mac virus would be famous. It has nothing to do with market share. If there was only one Ferrari in NYC, do you think it wouldn't get stolen because of market share? Viruses and worms don't exist for Linux, Unix, and Macs because they are all based on operating systems that were designed from the beginning not to allow them.
Reply to this comment
Virus-free OS? How naive...
by Dandy55 August 17, 2005 10:13 AM PDT
Peter wrote:

"As to the myth that the virus and worm writers target Windows because everyone uses it....thats BS!"
"The first person to write a sucessful Linux, Unix, or Mac virus would be famous"...
"Viruses and worms don't exist for Linux, Unix, and Macs because they are all based on operating systems that were designed from the beginning not to allow them"...

Pardon me, but, using Peter's words, "thats BS!" - I mean, the myth that Linux, Unix, or Mac are inherently virus-free, and Windows is the sole vulnerable OS.

Here is just a couple of links for you - go and get some protection:

Virus protection for MAC OS:
http://www.symantec.com/nav/nav_mac/

... and for Linux:
http://www.centralcommand.com/linux_server.html
View reply
Ignorance is not bliss
by 202578300049013666264380294439 August 17, 2005 12:07 PM PDT
The very first internet worm *ever* was written for Unix. Evidently Richard Morris isn't as famous as you think either since you evidently don't know about his worm and thus him.
View all 2 replies
CNet a day late...maybe THEIR computers were infected?
by M C August 17, 2005 10:35 AM PDT
Just wondering...
Reply to this comment
BS
by ajbright August 17, 2005 10:55 AM PDT
All this worm does is set up Win2K machines as spam bots, it doesn't shut down computers, it doesn't do anything except flood your net connection with outgoing spam.

Deleting one file in safe mode fixes the problem.

The so-called patch does nothing to stop this worm, the only protection is to
1/turn off port 445 to stop it spreading to other computers,
2/delete the mousemb.exe file from system32
3/remove the two reg edits it makes (although these appear to be harmless, in fact they might even make your computer more secure)
4/Anti-virus software - it's the only thing that can prevent re-infection, as I said, the M$ patch does nothing. Patched machines are just as likely to be infected as those not patched.

What happened here is that some "expert" advised a CNN "reporter" to watch for suspicious activity, such as your PC rebooting - probably because this "expert" remembers a worm from about two years ago that did this.

This turned into the "worm reboots computers" - which spread like wildfire across cable news channels (pretty much the same thing as your average tabloid paper, but on TV - think Fox News, MSNBC, CNN - all do nothing except commentate on life, making up hysterical BS to make it appear more interesting).
Reply to this comment
how are you so sure on the symptoms?
by Bob Brinkman August 17, 2005 11:39 AM PDT
I just ask because my girlfriend shot me a page yesterday when this crap started saying everyone's work computer started rebooting randomly including hers, shortly after it was announced to the employees as being virus related. I'm in an XP enviroment so I haven't haven't seen any of the havock first hand. I just rely on what I read. If it matters she works for a large Gas utility company who's name I won't mention.
View reply
Name one..
by Bill Dautrive August 17, 2005 12:26 PM PDT
virus for and any *nix variant that has caused problems and spread itself.

just one, should be easy right?

otherwise don't spread your ignorance
Reply to this comment
Like there is a point
by Andrew J Glina August 17, 2005 3:43 PM PDT
I played your game last time when you wanted the panel to...

"Name one 'innovation' in longhorn that doesn't already exist elsewhere"

http://news.com.com/5208-1016-0.html?forumID=1&threadID=8183&messageID=57023&start=83

...and I gave two, yet you are still spouting the same anti-Microsoft garbage. You are not here to learn, you are here to lecture.

The fact is I have Win2K and broadband and I have not got this virus. Seems as overrated to me as UNIX virus, which do exist and you know it.
The Morris Worm
by aabcdefghij987654321 August 18, 2005 7:15 AM PDT
http://en.wikipedia.org/wiki/Morris_worm

The VERY FIRST worm. It was Unix based and spead from Unix system to Unix system causing a great deal of damage to the internet. In fact by percentages of internet systems infected, it was the most effective worm ever.

Don't make challenges based on your own ignorance.
View reply
Give a cyber terrorist a window of opportunity...Use Microsith!
by Llib Setag August 17, 2005 2:02 PM PDT
Have you ever noticed that when CNN shows the troops
capturing & dragging suspected terrorists from the caves, they
frequently find their MS Windows PC laptops & search for
terrorist activity on the hard drives? Coinsidence? Hugh amounts
of money & they use MS PC Windows laptops?

US DOJ had their chance & they agreed that Microsith is an illegal
monopoly, but refused to break the monopoly apart or control
their illegal activities worldwide. MS Monopoly money goes very
deep into the pockets of the U.S. Government in Washington
D.C.

U.S. Gov't has suggested that MS should be considered for a
national ID card for all citizens & immigrants of the USA, as part
of their homeland security defense. Citizen Gates with the Dept.
of Homeland Security would "manage" all important data of all
citizens.

U.S. Gov't has recently suggested that MS Internet Explorer be
the ONLY Internet Browser of the Government. MS-OS control
battleships & aircraft carrier computers.

But noooooooooo, the terriorist wouldn't think of taking
advantage of the structural weaknesses of the US-MS software
that is on the governments computers, the US military
computers, the US airports computers, the banking +
investment computers & the majority of the US citizens
computers. Why would they want to do that...?

WAKE UP PEOPLE!
These worldwide cyber attacks are not just some smart punk
kids having a laugh. These attacks are effecting millions of
businesses & costing them BILLIONS of dollars. These "phishing"
scams through IE Outlook are ripping off money from innocent
people & growing identity theft is a major problem.

Don't make it easy for criminals / terrorists by using faulty
software full of security holes that Citizen Gates can't plug fast
enough.
Reply to this comment
This conspiracy theory brought to you by the letter "Q"
by Christopher Hall August 18, 2005 7:23 AM PDT
Really, thanks for coming out of the basement long enough to post that.

Really. Thanks.
View reply
Win2K patch doesn't work, XP and Server2003 patches do.
by ajbright August 17, 2005 2:19 PM PDT
The Win2K patch might work for one of the worms out there, but it doesn't stop the w32.esbot.a or any of it's variants.

Every Win2K PC we have has been infected, it wasn't until after we removed a certain file that even the anti-virus software would delete or quarantine any of the subsequent attacks.

Our WinXP and Server 2003 boxes have been completely unaffected by any of the worms - mostly because we have patch management software that can patch hundreds of networked computers instantly - without any kind of manual installation.

If we'd had to rely on automatic updates we'd have been screwed - because in a business environment you don't give normal users admin rights, therefore automatic updates won't work until an administrator logs on.

I don't know how any medium or large sized business can cope with keeping on top of patches without software that can remotely patch at least a 100 workstations at a time.

We don't even have to do a manual install of the patch management software (which the crap patch management packages force you to do on every workstation). All we have to do is scan for a new PC on any domain then apply the patches and remotely reboot it.

UpdateExpert has prevented every worm except w32.esbot from causing us any problems, and that only failed because there isn't a patch out there that prevents it from installing on Win2K PCs.
Reply to this comment
Microsoft WGA = terrorist threat
by W2Kuser August 17, 2005 2:22 PM PDT
The real story here is that Microsoft's new WGA policy of BLOCKING critical security updates of computers that are not verified as "genuine windows".

By intentionally blocking these critical security updates, Microsoft is now openly supporting not only annoying hackers, but also the more serious cyber-terrorism threats.

Forget Iran or Korea, Microsoft now poses a more serious, immediate threat to this country's security...
Reply to this comment
From the MSFT website
by August 18, 2005 9:54 AM PDT
Q:Do security updates require validation?
A: Security updates are not part of WGA. Security updates can be installed using the Windows XP Automatic Updates feature, or downloaded from the Download Center.

http://www.microsoft.com/genuine/downloads/FAQ.aspx?displaylang=en

Do your homework before you make ASSumptions and flame

MSFT has said all along the using the WGA is NOT a requriement to receive security updates, for the very reason you mention above. They would rather patch pirated versions than have them become infected.
View all 2 replies
Showing 1 of 2 pages (105 Comments)
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets

Market news, charts, SEC filings, and more

Related quotes

Microsoft (1.65%) 0.47 28.99
Dow Jones Industrials (2.03%) 203.52 10,226.94
S&P 500 (2.22%) 23.78 1,093.08
NASDAQ (1.97%) 41.62 2,154.06
CNET TECH (2.03%) 31.22 1,569.62
  Symbol Lookup
advertisement

Inside CNET News

Scroll Left Scroll Right