Windows worms knocking out computers

Network worms that shut down computers running Microsoft's Windows 2000 operating system on Tuesday may be linked to competition between rival hackers, security experts said.

Computers across the United States have been hit, including those at cable news station CNN, television network ABC and The New York Times. Tokyo-based antivirus company Trend Micro blames the havoc on various worms, including the Zotob worm that hit the Internet over the weekend and new variants of the Rbot worm.

Some security researchers claim the outbreak is tied to a "war" between rival virus writers. "We seem to have a botwar on our hands," Mikko Hypponen, chief research officer at Finnish software security firm F-Secure said in a statement issued on Wednesday.

"There appear to be three different virus-writing gangs turning out new worms at an alarming rate, as if they were competing to build the biggest network of infected machines," he said.

All of the worms exploit a security hole in the plug-and-play feature in the Windows 2000 operating system. Microsoft offered a fix for the bug as part of its monthly patching cycle last week. The software maker deemed the issue "critical," its most serious rating.

CNET security center
Zotob prevention and cure

New worms attack vulnerable Windows 2000 and Windows XP SP1 machines.

"It seems like every couple of minutes a new variant comes in. We cannot pinpoint the infections to one variant," Joe Hartmann, director of the antivirus research group at Trend Micro, said on Tuesday. "We are still gathering infection reports. It is coming globally."

Symptoms of infection include the repeated shutdown and rebooting of a computer, Trend Micro said.

Microsoft is investigating the reports of the worm outbreak, the company said in a statement. It lists "Worm_Rbot.CEQ," an Rbot variant, as the possible cause of the trouble.

The company also sought to downplay the threat and said Windows 2000-based PCs running the latest patch are protected. "Zotob has thus far had a low rate of infection. Zotob only targets Windows 2000. Customers running other versions such as Windows XP, or customers who have applied the MS05-039 update to Windows 2000 are not impacted by this attack," the company said in a statement issued Tuesday.

Inside job
The multiple worms are hitting individual organizations rather than computer users at large, said Johannes Ullrich, chief research officer at the SANS Institute, an Internet security training and research outfit.

"These worms are not having an impact on the Internet," Ullrich said on Tuesday. "They do have a substantial effect on organizations running Windows 2000 without last week's Microsoft patch installed."

The pain is being felt "on the inside," agreed David Cole, the director of product management at Symantec Security Response. The worms might slither onto the networks of companies with Windows 2000 systems from an infected laptop that has been used outside the corporate firewall, for example, he said.

"It gets inside an organization and then it bounces around and wreaks havoc," Cole said.

The New York Times has been hit by the virus, but the assault has not impacted the delivery of the news, said a spokeswoman for the publication.

"The Web site was not affected and newspaper production will not be affected," the representative said. The internal systems of the paper are "operational," the representative added, but she did not state what degree of impact the worm had had on its internal operations.

Walt Disney's ABC News and Time Warner's CNN confirmed in postings to their Web sites that their computers had been hit.

Which worm done it?
Experts have different opinions on the cause of the latest infections. The SANS Internet Storm Center, which tracks network threats, attributes Tuesday's trouble to Zotob, which keeps mutating and finding new victims. "As seen with prior TCP worms, it is reaching its peak around three days after the outbreak," SANS said on its Web site.

The security issue exploited by the worm also affects the newer Windows XP and Windows Server 2003, but only PCs running Windows 2000 are susceptible to a remote attack, Microsoft has said.

There are desktop and server versions of Windows 2000, which was released in 2000 for business users rather than consumers. More

[technewsjunkie]

Full LIVE coverage on CNN!

The funny thing is, they had just switched out thier Apple Displays <br />and computers to Dells within the last couple of days! What timing.

CNN only complaining

CNN was the only ones complaining for like 4 hours. All other networks, incruding Reuters hav been silent. Strange isn't it?

[tbeckner]

But the new Dell machines are not infected

But the new Dell machines are not infected. This worm attack is only against older Windows 2000 boxes, which no longer have support from Microsoft, but had a patch released that somebody forgot to install.

[tbeckner]

CNN should be Embarrassed

I just watched a delayed broadcast that my TiVo recorded of the Live CNN report about the WORLDWIDE WORM INFECTION. CNN should be Embarrassed. Their IT people could have patched them last week. The funny thing and maybe not so funny is that they reported it as something big and the infection will only infect unpatched/unprotected Windows 2000 machines.<br /><br />Again, CNN should be Embarrassed!

[cjohn17]

O' Glorious Day! The Revolution is Televised!

Oh how I luv it! Now MS virus attacks are now front and center, <br />not some nebulous debate in a nerdy forum. <br /><br />If only FOX News had broadcast the issue live. With their larger <br />and much smarter audience (I mean that seriously, CNN is a <br />joke) Microsoft would never sell another copy of their crummy, <br />broken down OS.<br /><br />O' Glorious Day!

[SteveBarry687]

Fox News

Larger okay (haven't looked at audience numbers lately), but smarter. Ha hah ah aha hahaha ahha aha hah aha ha ahha ah.<br /><br />I guess you would see them as smarter if your a right winger. CNN is right wing too.

[d2r4]

Congrats. to the moronic masses!

I'd like to take this time to laugh at all those infected by the "W32.Zotob.D" virus... thats what you get for being morons, maybe you should update your software once in awhile.<br /><br />Stop drooling and scratching your head, open up your eyes and learn about that which controls much of your life. Hopefully your raining ignorance does not destroy anything important in the mean time.

[cjohn17]

Hey Tron, Lighten Up

I luv these "PC experts" who rain down dripping sarcasim on the <br />"ignorant masses" because the lowly cattle are not smart to <br />manage their computer systems. <br /><br />You know, many of these poor folks that you have such distain <br />for have jobs, families, you know, real lives. They don't have the <br />time to invest in PCs like lonely geeks do. Balding saps sitting <br />under a dim 40 watt bulb in your tattered underwear, playing <br />Doom all day long, and going through bags of Cheetos.<br /><br />Did it ever occur to you that perhaps we should be feeling sorry <br />for you? Investing all your time and energy in a failed operating <br />system? Think different, Tron. Go outside and play. You're <br />looking awfully pale and the human race needs you.

[cjohn17]

Get a Life, Tron

That goes double for IT support too.

[libertyaikido]

Nice.

Apparently you have no idea what it takes to roll out updates to a corporate network when there are legal and technological considerations that must be addressed.<br /><br />Only an idiot would activate Automatic Updates, on a Windows machine, on a corporate network (unless the updates are being pulled from a company controlled, local Windows Update server [after an intense, possibly long, period of testing]).<br /><br />Thanks for playing. Try again.

[educateme]

Even with a warning Sign on it, some would still buy Windows

This is another one of the weekly, monthly, yearly, daily, hourly, <br />by the minute, reports about Windows with its high-tech <br />(insecure) bundling of Internet Explorer into the OS, and how it <br />has made eveyone pay for Microsofts greed. If they cant beat a <br />company like Netscape with good technology methods, then lets <br />screw our customers, since they dont know better anyway, and <br />mash the browser into the OS and let 'em fight for themselves. If <br />you keep buying into the next marketing ploy, or promise, of a <br />secure Microsoft system, you will keep fixing your PC jalopy, <br />while Bill Gates laughs all the way to the bank. <br /><br />What can you do, you might ask? Perhaps buy a Mac, or build a <br />Linux PC, after all what is your time worth in life, if you can <br />avoid these constant (never ending) hassles with a troubled <br />Microsoft design that will keep milking you for life. With no end <br />in sight, get used to it, or get out of Windows. Now you know.

[tbeckner]

Funny thing, if everyone ran UNIX/Linux

Funny thing, if everyone ran UNIX/Linux, then the vitus writers would be attacking those machines. And if you don't think that UNIX/Linux has no security problems, then I guess your UNIX/Linux machine isn't patched. Even the noble MAC has security problems. It's just that it is too small of a market for the virus writers to attack.

[cjohn17]

There's an Idea!

I like the idea of a warning sign on the packaging! "May cause total <br />loss of data."

you need to read the article again

How is the security hole related to "mashing in IE with the OS"???<br /><br />All of the worms exploit a security hole in the plug-and-play feature in the Windows 2000 operating system.

[wazzledoozle]

Just update morons

Of course they are going to be serious viru's when you have over %90 of the desktop market, everyone is targeting you with everything they have.<br /><br />Microsoft needs to release a patch that turns on automatic updates permanently if it sees the computer hasnt been updated in over a month.

Microsoft needs to release a patch

This is exactly what MS needs to do for network enabled machines. If a machines patch level falls too far behind, disable it's ability to communicate on a network until the user commits too do the updates and then only allow a connection to Microsofts update service until it has been fully patched.

[cjohn17]

Better Idea

How about this... I think this would work even better. STOP <br />WRITING CRUMMY, SLOPPY, CODE.<br /><br />That would solve everything.

[Andrew J Glina]

Ahghghghghghghghgh

I can feel it entering my computer, one transistor at a time.... With my last strength, I enter in A-P-P-L-E into the IE address bar and hit CTRL-ENTER. Must-Buy-Mac-Before-Too-Late......<br /><br />Ooops. Just remembered. I have a firewall. Back to work.

[tbeckner]

CNN should be Embarrassed!

I just watched a delayed broadcast that my TiVo recorded of the Live CNN report about the WORLDWIDE WORM INFECTION. CNN should be Embarrassed. Their IT people could have patched them last week. The funny thing and maybe not so funny is that they reported it as something big and the infection will only infect unpatched/unprotected Windows 2000 machines.<br /><br />Again, CNN should be Embarrassed!

[technewsjunkie]

Nice Try. A significant # of Businesses still using W2K

You are in Windows denial. Simply read the article again.<br />" ...but Windows 2000 remains popular. The operating system <br />ran on ***48 percent*** of business PCs during the first quarter <br />of 2005, according to a recent study by AssetMetrix."<br /><br />Also it was CNN, New York Times, and ABC network that are <br />mentioned in the articel alone. How many more do you think <br />there are? Hint: There are still millions of W2k machines out <br />there, and these are typically not upated vigorously.<br /><br />CNN was reporting LIVE giving quotes from Microsoft <br />representatives who claimed it was "low level". Do you think <br />these companies and others think it was "low level"?? MS means <br />its "low market share" so they can tell them to screw. Air time <br />costs hundreds of thousands, if not millions per minute of <br />broadcast time.

[cjohn17]

I Feel Bad for the Children and Eldery

Just re-read the article again. How Gates and Balmer get any sleep <br />every night is beyond me. These "critical" situations are affecting <br />people's lives in dramatic ways... oh, wait... <br /><br />Fortuantely, it mostly IT wonks and MS apologists that are staying <br />up late securing these OS dinosaurs. Serves 'em right.

[catchall]

Totally incorrect

I run a Window's network, I patched last week. I am now sitting comfortably at home, glass of wine in hand, wondering why others did not.

[ledzep75]

I feel bad for C.J....

because Carl from GTA SA runs on Windows and he doesn't even know it!

[202578300049013666264380294439]

Yet another reason to Use Linux.

Thanks Microsoft, You just showed the entire World, Yet another reason to Use Linux.

[Bob Brinkman]

Maybe things have changed

It always amazes me that people that bash Microsoft and praise Linux have the time to read through Hardware compatibility lists to make sure they are going to be able to use their hardware, but turning on automatic updates or using a virus scanner is a hardship beyond bear. <br /><br />Is there better hardware support then there was in these OS?s then there used to be yet? Then they might be worth considering, but probably not since I still couldn?t get half the apps I use to run on them.

[oo7curtis]

Golly I love my Macs

It's time like these that, well, no it's all the time. Yukkk on that <br />nasty windoze thang.

[Earl Benser]

Maybe....

.... this is an MS idea to get people to upgrade to XP or ellse??????<br /><br />Who knows????? ;-)

[Christopher Hall]

Bingo

That's exactly what I was thinking when the story came out. Somehow, I doubt Microsoft would be above it. They do have some very talented programmers up their sleeves, after all.<br /><br />Have you ever read the book "Jennifer Government" by Max Berry? The book (it's fiction) touches on the extent of corporate espionage and it's quite cleverly written. Although, in the book, Nike kills a few people to increase the value of some shoes. While not DIRECTLY correlated (yet!), it has a similar feel to it.

Snicker, Giggle

It amuses me that big media, the liberal bastions of "we're smarter <br />than you are", are being hit by this worm hard.<br /><br />I guess I should serve them some humble pie. Perhaps their IT <br />groups could bring cutlery and juice.

MicroLinux

If only Microsoft would but a 1/10th of the money and energy they put toward Windows toward improving the user interface for Linux, their problems would be solved. A commercial version of Linux can work, and there will always be the free versions for us geeks.<br /><br />As to the myth that the virus and worm writers target Windows because everyone uses it....thats BS! Viruses and worms are all about reputation in that world...no one gets paid to write a worm. The first person to write a sucessful Linux, Unix, or Mac virus would be famous. It has nothing to do with market share. If there was only one Ferrari in NYC, do you think it wouldn't get stolen because of market share? Viruses and worms don't exist for Linux, Unix, and Macs because they are all based on operating systems that were designed from the beginning not to allow them.

[Dandy55]

Virus-free OS? How naive...

Peter wrote:<br /><br />"As to the myth that the virus and worm writers target Windows because everyone uses it....thats BS!"<br />"The first person to write a sucessful Linux, Unix, or Mac virus would be famous"...<br />"Viruses and worms don't exist for Linux, Unix, and Macs because they are all based on operating systems that were designed from the beginning not to allow them"...<br /><br />Pardon me, but, using Peter's words, "thats BS!" - I mean, the myth that Linux, Unix, or Mac are inherently virus-free, and Windows is the sole vulnerable OS. <br /><br />Here is just a couple of links for you - go and get some protection: <br /><br />Virus protection for MAC OS:<br /><a class="jive-link-external" href="http://www.symantec.com/nav/nav_mac/" target="_newWindow">http://www.symantec.com/nav/nav_mac/</a><br /><br />... and for Linux:<br /><a class="jive-link-external" href="http://www.centralcommand.com/linux_server.html" target="_newWindow">http://www.centralcommand.com/linux_server.html</a>

[202578300049013666264380294439]

Ignorance is not bliss

The very first internet worm *ever* was written for Unix. Evidently Richard Morris isn't as famous as you think either since you evidently don't know about his worm and thus him.

[M C]

CNet a day late...maybe THEIR computers were infected?

Just wondering...

[ajbright]

BS

All this worm does is set up Win2K machines as spam bots, it doesn't shut down computers, it doesn't do anything except flood your net connection with outgoing spam.<br /><br />Deleting one file in safe mode fixes the problem.<br /><br />The so-called patch does nothing to stop this worm, the only protection is to<br />1/turn off port 445 to stop it spreading to other computers,<br />2/delete the mousemb.exe file from system32<br />3/remove the two reg edits it makes (although these appear to be harmless, in fact they might even make your computer more secure)<br />4/Anti-virus software - it's the only thing that can prevent re-infection, as I said, the M$ patch does nothing. Patched machines are just as likely to be infected as those not patched.<br /><br />What happened here is that some "expert" advised a CNN "reporter" to watch for suspicious activity, such as your PC rebooting - probably because this "expert" remembers a worm from about two years ago that did this.<br /><br />This turned into the "worm reboots computers" - which spread like wildfire across cable news channels (pretty much the same thing as your average tabloid paper, but on TV - think Fox News, MSNBC, CNN - all do nothing except commentate on life, making up hysterical BS to make it appear more interesting).

[Bob Brinkman]

how are you so sure on the symptoms?

I just ask because my girlfriend shot me a page yesterday when this crap started saying everyone's work computer started rebooting randomly including hers, shortly after it was announced to the employees as being virus related. I'm in an XP enviroment so I haven't haven't seen any of the havock first hand. I just rely on what I read. If it matters she works for a large Gas utility company who's name I won't mention.

[Bill Dautrive]

Name one..

virus for and any *nix variant that has caused problems and spread itself.<br /><br />just one, should be easy right?<br /><br />otherwise don't spread your ignorance

[Andrew J Glina]

Like there is a point

I played your game last time when you wanted the panel to...<br /><br />"Name one 'innovation' in longhorn that doesn't already exist elsewhere"<br /><br /><a class="jive-link-external" href="http://news.com.com/5208-1016-0.html?forumID=1&#38;threadID=8183&#38;messageID=57023&#38;start=83" target="_newWindow">http://news.com.com/5208-1016-0.html?forumID=1&#38;threadID=8183&#38;messageID=57023&#38;start=83</a><br /><br />...and I gave two, yet you are still spouting the same anti-Microsoft garbage. You are not here to learn, you are here to lecture.<br /><br />The fact is I have Win2K and broadband and I have not got this virus. Seems as overrated to me as UNIX virus, which do exist and you know it.

[aabcdefghij987654321]

The Morris Worm

<a class="jive-link-external" href="http://en.wikipedia.org/wiki/Morris_worm" target="_newWindow">http://en.wikipedia.org/wiki/Morris_worm</a><br /><br />The VERY FIRST worm. It was Unix based and spead from Unix system to Unix system causing a great deal of damage to the internet. In fact by percentages of internet systems infected, it was the most effective worm ever.<br /><br />Don't make challenges based on your own ignorance.

[Llib Setag]

Give a cyber terrorist a window of opportunity...Use Microsith!

Have you ever noticed that when CNN shows the troops <br />capturing &#38; dragging suspected terrorists from the caves, they <br />frequently find their MS Windows PC laptops &#38; search for <br />terrorist activity on the hard drives? Coinsidence? Hugh amounts <br />of money &#38; they use MS PC Windows laptops?<br /><br />US DOJ had their chance &#38; they agreed that Microsith is an illegal <br />monopoly, but refused to break the monopoly apart or control <br />their illegal activities worldwide. MS Monopoly money goes very <br />deep into the pockets of the U.S. Government in Washington <br />D.C.<br /><br />U.S. Gov't has suggested that MS should be considered for a <br />national ID card for all citizens &#38; immigrants of the USA, as part <br />of their homeland security defense. Citizen Gates with the Dept. <br />of Homeland Security would "manage" all important data of all <br />citizens.<br /><br />U.S. Gov't has recently suggested that MS Internet Explorer be <br />the ONLY Internet Browser of the Government. MS-OS control <br />battleships &#38; aircraft carrier computers.<br /><br />But noooooooooo, the terriorist wouldn't think of taking <br />advantage of the structural weaknesses of the US-MS software <br />that is on the governments computers, the US military <br />computers, the US airports computers, the banking + <br />investment computers &#38; the majority of the US citizens <br />computers. Why would they want to do that...?<br /><br />WAKE UP PEOPLE! <br />These worldwide cyber attacks are not just some smart punk <br />kids having a laugh. These attacks are effecting millions of <br />businesses &#38; costing them BILLIONS of dollars. These "phishing" <br />scams through IE Outlook are ripping off money from innocent <br />people &#38; growing identity theft is a major problem. <br /><br />Don't make it easy for criminals / terrorists by using faulty <br />software full of security holes that Citizen Gates can't plug fast <br />enough.

[Christopher Hall]

This conspiracy theory brought to you by the letter "Q"

Really, thanks for coming out of the basement long enough to post that.<br /><br />Really. Thanks.

[ajbright]

Win2K patch doesn't work, XP and Server2003 patches do.

The Win2K patch might work for one of the worms out there, but it doesn't stop the w32.esbot.a or any of it's variants.<br /><br />Every Win2K PC we have has been infected, it wasn't until after we removed a certain file that even the anti-virus software would delete or quarantine any of the subsequent attacks.<br /><br />Our WinXP and Server 2003 boxes have been completely unaffected by any of the worms - mostly because we have patch management software that can patch hundreds of networked computers instantly - without any kind of manual installation.<br /><br />If we'd had to rely on automatic updates we'd have been screwed - because in a business environment you don't give normal users admin rights, therefore automatic updates won't work until an administrator logs on.<br /><br />I don't know how any medium or large sized business can cope with keeping on top of patches without software that can remotely patch at least a 100 workstations at a time.<br /><br />We don't even have to do a manual install of the patch management software (which the crap patch management packages force you to do on every workstation). All we have to do is scan for a new PC on any domain then apply the patches and remotely reboot it.<br /><br />UpdateExpert has prevented every worm except w32.esbot from causing us any problems, and that only failed because there isn't a patch out there that prevents it from installing on Win2K PCs.

[W2Kuser]

Microsoft WGA = terrorist threat

The real story here is that Microsoft's new WGA policy of BLOCKING critical security updates of computers that are not verified as "genuine windows".<br /><br />By intentionally blocking these critical security updates, Microsoft is now openly supporting not only annoying hackers, but also the more serious cyber-terrorism threats.<br /><br />Forget Iran or Korea, Microsoft now poses a more serious, immediate threat to this country's security...

From the MSFT website

Q:Do security updates require validation?<br />A: Security updates are not part of WGA. Security updates can be installed using the Windows XP Automatic Updates feature, or downloaded from the Download Center.<br /><br /><a class="jive-link-external" href="http://www.microsoft.com/genuine/downloads/FAQ.aspx?displaylang=en" target="_newWindow">http://www.microsoft.com/genuine/downloads/FAQ.aspx?displaylang=en</a><br /><br />Do your homework before you make ASSumptions and flame<br /><br />MSFT has said all along the using the WGA is NOT a requriement to receive security updates, for the very reason you mention above. They would rather patch pirated versions than have them become infected.