Malicious software that takes advantage of a recently disclosed vulnerability in Microsoft's Windows operating system has spread rapidly and has now infected more than 250,000 systems, primarily Windows 2000 systems being run in corporate environments, according to security vendor Computer Associates International (CA).
The worms received widespread media attention after Cable News Network (CNN) reported that it had been affected by the problem, but on Wednesday representatives from companies that had been affected downplayed the level of disruption.
Because of the design of the worms, they have largely left home users unaffected and have instead focused on spreading within corporate networks, according to security experts interviewed Wednesday.
An undisclosed number of internal systems at telecommunications provider SBC Communications were affected by the worms, beginning late Tuesday, said Wes Warnock, an SBC spokesman, but the outages had no effect on the company's voice or data networks, he added.
"It's almost a non-issue. SBC is like any company that was running Windows 2000 and didn't have the patches," he said.
American Express Co. was also hit, according to company spokeswoman Judy Tenzer. "We did experience some issues with some of our computer desktops and much of that has now been resolved," she said. On Wednesday morning, some systems within the company's call center were unavailable because of the outages.
Media outlets have been among the hardest hit by the worm. The New York Times Co. confirmed Wednesday that some of its systems had been infected, and the ABC television network, a unit of The Walt Disney Co., is also reported to have been hit.
While CA is now estimating that more than 250,000 systems have been affected by different variants of the plug-and-play worms, these attacks have received special attention because they have hit media outlets, according to Sam Curry, vice president of CA's eTrust Security Management division. In the past, lesser-reported attacks have hit similar numbers of computers, he said. "We see numbers climb out into the hundreds of thousands and it never gets attention," he said. "Who gets affected will influence how much publicity this gets."
CA is rating the viruses as a low to medium threat and most of its customers have not generally been widely affected by them, Curry said. "We have little to no escalations from customers that have been affected by it," Curry said. "We have no one saying, 'Oh my God I'm in trouble,' but we do have customers calling up and saying what do I need to know?"
However, McAfee's antivirus response team raised its risk assessment to "high" for one worm variant, called IRCBot worm. Late Tuesday it said it had received more than 150 reports of the worm either being stopped or infecting users' PCs, mostly in the U.S. but also from Europe and Asia.
By Wednesday, Symantec customers had reported just over 230 instances of the worms, the company said. This was far less than the thousands of reports that the company had received on highly publicised worm outbreaks such as last year's Sasser worm, Symantec said.
It's certainly not a Sasser; it's certainly not a Slammer," said Russ Cooper, senior information security analyst for Cybertrust. "Our recommendation to our customers is to get patches applied within 90 days, because the normal mechanisms should prevent this from getting to your organisation."
According to Cooper, the best way for corporations to protect themselves from these attacks is to ensure that they secure all the devices that connect to their networks. "These things are getting in through VPN (virtual private network) users or though home or travelling users," he said. "This is a common failing in organizations ... they have protection at a gateway, but meanwhile they let their home users connect via VPN."
The worms all stem from a vulnerability reported Aug. 9 in Microsoft's Windows 2000 Plug and Play service. They will cause infected systems to reboot and infected systems are then instructed to download a variety of malicious software that is then used to attack other systems, antivirus vendors said.
Microsoft's Web page, "What you should know about Zotob," includes links to the patch and was updated Tuesday at http://www.microsoft.com/security/incident/zotob.mspx
Customers in the U.S. and Canada who think they have been infected can call Microsoft's Product Support Services at 1-866-PCSAFETY, Microsoft said. There is no charge for calls to do with security update issues or viruses, it said. International customers should refer to its Security Help and Support for Home Users Web site at http://support.microsoft.com/?pr=SecurityHome, it said.