Watch CBS News

X-SciTech

MS Worm Eats Way Across Internet

/ CBS/AP

A virus-like infection that was the subject of urgent U.S. government and industry warnings spread rapidly across the Internet this week, causing computers to mysteriously restart and launching a coordinated electronic attack against Microsoft Corp.

Security officials said the Internet worm, dubbed "LovSan," was part of a coordinated electronic attack that exploited a serious flaw in Microsoft Corp.'s Windows operating systems.

Maryland's Motor Vehicle Administration shut all its offices at noon as technicians cleaned the agency's network systems.

"There's no telephone service right now. There's no online service right now. There's no kiosk or express office service," spokeswoman Cheron Wicker said. "We are currently working on a fix and expect to be operational again in the morning."

The worm was first reported Monday in the United States and, while appearing not to delete files or otherwise incur permanent damage, knocked many computers offline.

"It seems to be taking off fairly quickly," said Johannes Ullrich of Boston, who runs the D-Shield network of computer monitors.

Across Asia and Europe, it struck many businesses as they opened and workers logged on, spreading without the need for user intervention.

In Washington, the U.S. Postal Service's headquarters computer system was shut down by the worm.

Infected computers were programmed to automatically launch an attack on a Web site operated by Microsoft on Saturday. The site, windowsupdate.com, is used to deliver repairing software patches to Microsoft customers to prevent against these types of infections.

"Microsoft has long been a target of hackers, for a number of reasons: They're the company that everybody loves to hate, and because they have not-so-great security, they're a fairly easy target," said CBS News Technical Analyst Larry Magid. "This is one of many viruses and worms that have been launched against Microsoft software, and in this case, against Microsoft's own Web site."

Magid says the fix is fairly simple.

"You go to windowsupdate.com, you download the fix, you run it, and you're protected against this particular flaw," he said. "But that doesn't mean that there won't be something else in the future that could get you."

But that may not stop it for good, warned Symantec's senior director of engineering, Alfred Huger.

"I think there is a really strong chance that this will be modified and re-released, if not today, then this week," Huger said. "It's very simple to unpack and very simple to modify."

The infection was quickly dubbed "LovSan" because of a love note left behind on vulnerable computers: "I just want to say LOVE YOU SAN!" Researchers also discovered another message hidden inside the infection that appeared to taunt Microsoft Chairman Bill Gates: "billy gates why do you make this possible? Stop making money and fix your software!"

The worm is also known as MSIBlast, W32.Blaster and W32/LuvSan. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user, McAfee reported on its Web site.

The high-profile alerts issued by Microsoft notwithstanding, many businesses did not initially install the patches and scrambled Tuesday to shore up their computers.

"People are too laid back. Microsoft doesn't do these warnings for fun," said Graham Cluley, a senior technology consultant with Sophos PLC in Britain. "I think a lot of people have gotten into the habit of thinking viruses only come in via e-mails."

Individual users and small businesses appeared to be at greater risk than bigger companies, which typically have thorough firewalls that can stem such attacks. But once such a worm gets inside a firewall, unprotected computers are vulnerable.

Cluley said his company started getting reports about the infection from Australia and then in Europe.

In Sweden, Internet provider TeliaSonera said about 20,000 of its customers were affected after the infection clogged 40 servers that handled Internet traffic. Spokeswoman Lena Rosell said customers had their service restored by late morning.

Internet security company F-secure said about 900 computers in Sweden were infected by LovSan.

Government and industry experts have anticipated such an outbreak since July 16, when Microsoft acknowledged that the flaw affected nearly all versions of its flagship Windows operating system software.

"It's much too early to expect to see any (Internet slowdowns) whatsoever," said Vincent Gullotto, a vice president at Network Associates Inc. "It really depends on how much it spreads."

The Microsoft flaw affects Windows technology used to share data files across computer networks. It involves a category of vulnerabilities known as "buffer overflows," which can trick software into accepting dangerous commands.

First published on August 13, 2003 / 7:20 AM EDT

© 2003 CBS Interactive Inc. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report.

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.