Virus spreading, but impact moderate

The MSBlast worm is forcing IT staffs to work overtime, but the damage seems to be somewhat contained, at least in the working world.

Michael Kanellos Staff Writer, CNET News.com
Michael Kanellos is editor at large at CNET News.com, where he covers hardware, research and development, start-ups and the tech industry overseas.
Michael Kanellos
4 min read
The MSBlast worm is forcing IT staffs to work overtime, but the damage seems to be somewhat contained, at least in the working world.

An existing patch, heightened security awareness and the relatively slow pace of the worm are combining to blunt the overall impact of the worm's spread, according to sources. Some companies have been forced to apply patches in the past 24 hours or inconvenience employees by temporarily taking them off the network, but significant damage is thus far light.

"We've had sporadic reports of minor impacts, but by and large, the federal agencies continue to operate as normal," said David Wray, a spokesman for the U.S. Department of Homeland Security. "This worm doesn't appear to be very efficient."

Similarly, the virus found its way onto Intel's computing network but was cleaned fairly quickly without causing damage, a spokesman said. Gateway, Rambus, Nvidia and IBM reported no significant problems. Some companies said the virus was caught and destroyed before it could enter the company network.

By contrast, EarthLink, a home Internet service provider, said that support lines were more active than usual today. Others said the same.

"We're hearing from a lot of customers, especially consumers who have been infected or want to know how not to be infected," a Dell spokeswoman said. Like other PC makers, Dell is helping customers apply a fix. "There has definitely been a significant increase in customer support calls."

So far, 1.4 million unique IP addresses "are acting as if they are infected" by the worm, which emerged Monday, said Art Manion, Internet security analyst with the Computer Emergency Response Team, which tracks Internet viruses.

That number might be high. Internet security company Symantec estimated the number of infected sights to be well below a million. The discrepancy exists because of the way these different organizations count IP addresses. Nonetheless, Symantec on Tuesday raised the severity level of MSBlast from a 3 to a 4 on a scale of 5.

Special Report
Patchwork security
Software "fixes" are routinely
available but widely ignored.

The worm exploits a flaw in Windows that, if left unchecked, can crash a computer and/or use it to send malicious data to other machines.

Unlike with many viruses, however, the warning about MSBlast appeared well before the virus. Microsoft revealed the flaw on July 16 and issued a patch the same day. The early warning allowed companies to patch many of their systems early.

"We're coming out fairly unscathed," said David Gregson, the information technology director for Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, a 1,000-employee law firm that's based in Boston. The firm patched its servers before the virus hit and, after it came out, moved quickly to patch desktops Monday night. Gateway similarly performed final virus updating Monday night, a spokesman said.

The University of Florida, meanwhile, was infected by the virus, but the problem was resolved fairly quickly, according to a source close to the university who did not want to be identified. Marketing and advertising firm Young & Rubicam's network was slow, and e-mail service was sporadic Tuesday until the company fixed the issue later in the day, sources at the company said.

Consumers, by contrast, are having a slightly harder time. Consumers generally don?t have information technology employees, and updating patches can be fairly sporadic. Unlike some other worms in the recent past that only infected servers, the MSBlast worm can infect desktops.

"It would appear that this is spreading relatively quickly," said Greg Collins, a network engineer at EarthLink, who added, "a lot of people don't look at updates."

Internet service providers Cox Communications and Comcast began screening out network traffic sent using specific ports--essentially labels that describe the data type--that the worm uses. Cox spokesman Bobby Amirishahi said his company's network traffic routers updated by 9 a.m. PDT, while Comcast spokeswoman Sarah Eder said her employer started blocking the ports at 9 p.m. Monday.

In addition to the network changes, Cox and Comcast took on additional technical support activities outside the scope of what the companies usually offer their customers, the representatives said. Both companies said they had subscribers who were affected by the worm.

Additionally, Windows XP, which is more widespread among consumers than anywhere else, can be more vulnerable to the worm because of the way the operating system can be configured, Manion said.

Unlike Windows 2000 computers, some Windows XP machines will crash 60 seconds after being infected. Consumers are thus finding themselves racing the clock, trying to load the patch before the crash, Manion added.

The world shouldn?t breathe too easily just yet. Wray and others warned that variants of the virus that spread more rapidly could emerge in the near future.