New Win2K Worm

[Fred_Vobbe]

(Two stories follow)


ABC Fails To Heed Its Own Virus Warning
BY ROBERT FEDER
CHICAGO SUN-TIMES COLUMNIST

On Tuesday morning, ABC News Online warned of a sneaky new Internet virus so powerful that it "could allow attackers to take complete control of a computer."

By Tuesday afternoon, that same virus had shut down computer systems throughout ABC as well as a number of major companies across the country.

In Chicago, ABC-owned WLS-Channel 7 was forced to shut itself off from all Internet access and abandon its digital news server. To gather and edit news, the station reverted to videotape.

At ABC-owned news/talk WLS-AM (890), talk show hosts and producers had no access to their e-mail or other computer files, and commercials were frozen out for nearly two hours.

"Fortunately, we got ourselves up and running rather quickly," said John Gallagher, president and general manager of the radio station. "But it's obvious we need a much better backup system in place. I have already met with a number of department heads to discuss what we should do."

Tuesday's incident shut down systems running Windows 2000 software. The vulnerability of companies and individual users to such worms and viruses evokes shudders.

"Everything stops," Gallagher said. "We as a corporate society simply cannot function without our computers. This little blip taught us that once again."

----

Worm Strikes Down Windows 2000 Systems
Microsoft in 'emergency response' as worm reported on three continents

WASHINGTON (CNN) -- A fast-moving computer worm Tuesday attacked computer systems using Microsoft operating systems, shutting down computers in the United States, Germany and Asia.

Among those hit were offices on Capitol Hill, which is in the midst of August recess, and media organizations, including CNN, ABC and The New York Times. The Caterpillar Co. in Peoria, Illinois, reportedly also had problems.

A small number of computers in an administrative office at San Francisco International Airport also crashed, but they were not essential to the airport's operation, spokesman Mike McCarron said.

The FBI said the computer problems did not appear to be part of any widespread attack.

While the worm affects primarily Windows 2000, it also can affect some early versions of Microsoft XP, said Johannes Ullrich, chief technology officer of the Sans Institute, a network security firm based in Jacksonville, Florida.

Symptoms include the repeated shutdown and rebooting of a computer.

Microsoft has a downloadable patch on its security homepage, Microsoft.com/security.

The director of Microsoft's security response center, Debbie Fry Wilson, said the computer giant was in an "emergency response" mode. "Right now, we're mobilizing our two war rooms," she told CNN.

"The key thing I want to stress for customers is making sure that they install security updates as quickly as possible," Wilson said.

Although she said that the number of affected computers is unclear, most Windows 2000 customers are business users. And automatic security updates would have protected most home users, she said. Wilson added that millions of computer users have downloaded the patch.

Business software provider AssetMetrix reported in June that Computers running Windows 2000 were on about half of all corporate desks.

Microsoft is working with law enforcement to track down those who unleashed the worm, Wilson said.

Lysa Myers, a virus researcher for the computer security firm McAfee, Inc., said the worm exploits a vulnerability in Microsoft's plug-and-play service. "How it's spreading is it's looking for machines that are unpatched and running itself," she said.

What was causing the damage was unclear, although experts pointed to a new worm called worm-rbot.cbq.

David Perry of Trend Micro, an Internet monitoring firm, said the latest worm may have been derived from the Zotob worm, which was first reported over the weekend.

Ullrich, of the Sans Institute, said Zotob "will connect to a control server to ask for instructions. It scans network neighborhoods and tries to infect them, as well."

Typically, the worm enters a system via a laptop connected to unsecured networks, Ullrich said. "This laptop will infect your systems from the inside."

Several versions of the worm have been released, some as late as Tuesday, he said.

Around 5 p.m. problems began at CNN facilities in New York and Atlanta before being cleared up about 90 minutes later.

The New York Times also was able to bring its systems back up, and "newspaper production will not be affected," spokeswoman Kathy Park said.

The White House said it did not have reports of computer problems.

Improved firewalls and faster patches may have limited the worm's spread, said Jeff Havrila, a technical analyst with the U.S. Computer Emergency Readiness Team, a coalition of public and private groups that combats computer attacks.

He also said it is unclear how long the worm may take to run its course, noting that many people are away on summer vacation and may be affected only when they return.

At any given time there are thousands of computer worms and viruses in existence. Last year, the Sasser worm shut down millions of computers worldwide. A German teenager has been sentenced to 21 months' probation .