Computers across the United States have been hit, including those at cable news station CNN, television network ABC and The New York Times. Tokyo-based antivirus company Trend Micro blames the havoc on various worms, including the Zotob worm that hit the Internet over the weekend and new variants of the Rbot worm.
Some security researchers claim the outbreak is tied to a "war" between rival virus writers. "We seem to have a botwar on our hands," Mikko Hypponen, chief research officer at Finnish software security firm F-Secure said in a statement issued on Wednesday.
"There appear to be three different virus-writing gangs turning out new worms at an alarming rate, as if they were competing to build the biggest network of infected machines," he said.
All of the worms exploit a security hole in the plug-and-play feature in the Windows 2000 operating system. Microsoft offered a fix for the bug as part of its monthly patching cycle last week. The software maker deemed the issue "critical," its most serious rating.
Zotob prevention and cure
"It seems like every couple of minutes a new variant comes in. We cannot pinpoint the infections to one variant," Joe Hartmann, director of the antivirus research group at Trend Micro, said on Tuesday. "We are still gathering infection reports. It is coming globally."
Symptoms of infection include the repeated shutdown and rebooting of a computer, Trend Micro said.
Microsoft is investigating the reports of the worm outbreak, the company said in a statement. It lists "Worm_Rbot.CEQ," an Rbot variant, as the possible cause of the trouble.
The company also sought to downplay the threat and said Windows 2000-based PCs running the latest patch are protected. "Zotob has thus far had a low rate of infection. Zotob only targets Windows 2000. Customers running other versions such as Windows XP, or customers who have applied the MS05-039 update to Windows 2000 are not impacted by this attack," the company said in a statement issued Tuesday.
Inside job
The multiple worms are hitting individual organizations rather than computer users at large, said Johannes Ullrich, chief research officer at the SANS Institute, an Internet security training and research outfit.
"These worms are not having an impact on the Internet," Ullrich said on Tuesday. "They do have a substantial effect on organizations running Windows 2000 without last week's Microsoft patch installed."
The pain is being felt "on the inside," agreed David Cole, the director of product management at Symantec Security Response. The worms might slither onto the networks of companies with Windows 2000 systems from an infected laptop that has been used outside the corporate firewall, for example, he said.
"It gets inside an organization and then it bounces around and wreaks havoc," Cole said.
The New York Times has been hit by the virus, but the assault has not impacted the delivery of the news, said a spokeswoman for the publication.
"The Web site was not affected and newspaper production will not be affected," the representative said. The internal systems of the paper are "operational," the representative added, but she did not state what degree of impact the worm had had on its internal operations.
Walt Disney's ABC News and Time Warner's CNN confirmed in postings to their Web sites that their computers had been hit.
Which worm done it?
Experts have different opinions on the cause of the latest infections. The SANS Internet Storm Center, which tracks network threats, attributes Tuesday's trouble to Zotob, which keeps mutating and finding new victims. "As seen with prior TCP worms, it is reaching its peak around three days after the outbreak," SANS said on its Web site.
The security issue exploited by the worm also affects the newer Windows XP and Windows Server 2003, but only PCs running Windows 2000 are susceptible to a remote attack, Microsoft has said.
There are desktop and server versions of Windows 2000, which was released in 2000 for business users rather than consumers. More recent editions of Windows are available, but Windows 2000 remains popular. The operating system ran on 48 percent of business PCs during the first quarter of 2005, according to a recent study by AssetMetrix.
The onslaught of worms based on the plug-and-play flaw appeared less than a week after Microsoft's patch release, leaving users very little time to protect their systems.
Many Windows 2000 users likely will not have patched yet since they need time to test the fixes before installing them, Ullrich said.
Although there are several worms that exploit the Windows plug-and-play flaw, the spread remains limited, Cole said. "We are not seeing any one of these really soaring or escalating to something like a Blaster or Slammer," he said. Symantec has elevated its ThreatCon rating from one to two, with five being the highest.
Trend Micro has rated the worm attack "yellow," which is in the middle of its alert range. The security company has seen thousands of infections from Zotob alone, Hartmann said.
Infected machines can be cleaned up using tools available from antivirus software makers, including Symantec. Windows 2000 users who have not patched, should do so, Microsoft urges.
CNET News.com's Michael Kanellos contributed to this report.
nt
