UPDATE: Blaster Worm Cripples PCs, Fixing It Not Easy
A computer worm that emerged Monday afternoon continued to burrow aggressively through Internet connections Tuesday, crippling hundreds of thousands of machines using Microsoft Corp.'s (MSFT) Windows 2000 and XP operating systems.
The worm, dubbed Blaster, or LovScan by computer-security companies, takes advantage of a programming flaw that affects nearly all versions of the Windows operating system, but infects only those using 2000 or XP. Microsoft revealed the flaw on July 16 and provided free fixes to customers for download. Government and industry experts have widely expected a worm would surface to exploit the flaw and have urged computer users to download Microsoft's patch (
http://www.microsoft.com/security/).
But many corporate technology departments and home users apparently failed to heed those warnings, since the worm has struck computers everywhere around the world.
Symantec Corp. (SYMC), a security software maker, said its DeepSight threat monitoring system has seen infections in about 130,000 Internet-connected computers as of Tuesday afternoon, though that number continues to rise.
"A (North American) machine running XP or 2000 has about a 25 minute life span before it's contacted by this worm," said Alfred Huger, senior director of engineering for Symantec Security Response.
"In relative terms, this one has the most potential (for damage) of any worm we've seen to date," because so many computers run the flawed Microsoft software programs, Huger said. "The saving grace was the worm was written very poorly, so it's slow."
But Blaster is working well enough to cause major problems for Internet users. Though it hasn't managed to slow the broader Internet, it has bogged down smaller networks and become a plague to home users.
Russ Panzer , of Hewlett, N.Y., said his home computer and office laptop got infected late Monday. "I can't stay online long enough to fix it," he said. "It's very frustrating. I've already spent a couple of hours trying to fix this."
Blaster causes infected PCs to issue error warnings, shut down and then mysteriously restart again. After coming back to life, they start scanning the Internet for more vulnerable PCs to infect. The worm is programmed to stage an attack on Microsoft's patching site,
www.windowsupdate.com, on Saturday.
The worm uses up so much bandwidth scanning for other machines, that victims have been unable to connect to Microsoft's Web site long enough to download the operating-system fix or to antivirus-companies' Web sites to download tools for eradicating the worm.
Security companies and the Computer Emergency Response Team Coordination Center, a federally funded group connected to Carnegie Mellon University, Tuesday offered lengthy instructions to these users about how to manually delete the worm from their computers (see below), a step that could buy them enough time before reinfection to download the Microsoft patch.
Microsoft said XP users' first step should be to activate the firewall included in their operating system (instructions at
http://support.microsoft.com/default.aspx?scid=kb;EN-US;283673 and below), which will block the worm's communication and give them time to patch and download antivirus software that can eliminate the worm. Windows 2000 users could use any personal firewall they may have to do the same job, namely blocking Internet port 135, the gateway the worm uses to spread.
Antivirus software won't prevent infection from this particular worm because it travels directly from the Internet into the operating system, never triggering a virus scan. As such, all Windows users are urged to apply Microsoft's patch, the only sure way to avoid infection.
As such, fixing the problem is complicated, even for tech-savvy users.
"The world of the PC is totally alien to me, so I felt like a fish out of water," said Preston Alexander, a programmer of mid-range IBM computers who lives in Boston. His home machine is infected because his attempts to install Microsoft's patch before the outbreak failed. "They give it to us common folk, but then to fix it you have to be a rocket scientist."
CERT/CC recommendations for infected users:
1. Physically disconnect the machine from the network by removing phone-cord, cable, DSL, wireless card connectors.
2. Kill the "msblast.exe" process in the Task Manager by following these steps: a) press CTRL-ALT-DELETE, b) click "Task Manager" button, c) select "Processes" tab, d) highlight "msblast.exe", e) click "End Process" button (note that this will bring up a Warning dialog box which a user needs to answer "Yes").
3. Delete any files named "msblast.exe" on the machine by following these steps: a) click on "Start", then "Search", then "Find Files or Folders", b) search for "msblast.exe", c) for each match, right-click and select delete.
4. Disable DCOM on all affected machines by following these steps:
a) Run Dcomcnfg.exe, which is typically accomplished by going to Start, click Run and type "decomcnfg."
If you are running Windows XP or Windows Server 2003 perform these additional steps: 1) Click on the "Component Services" node under "Console Root," 2) open the computer's sub-folder, 3) for the local computer, right click on "My Computer" and choose "Properties," or for a remote computer, right click on the "Computers" folder and choose "New" then "Computer." Enter the computer name. Right click on that computer name and choose "Properties."
Then, 1) choose the "Default Properties" tab. 2) select (or clear) the "Enable Distributed COM on this Computer" check box. 3) If you will be setting more properties for the machine, click the "Apply" button to enable (or disable) DCOM. Otherwise, click "OK" to apply the changes and exit Dcomcnfg.exe.
b) Enable the Windows XP firewall, or ICF, by following these steps: 1) In "Control Panel," double-click "Networking and Internet Connections," and then click "Network Connections." 2) Right-click the connection on which you would like to enable ICF, and then click "Properties." 3) On the "Advanced" tab, click the box to select the option to "Protect my computer or network." 4) If you want to enable the use of some applications and services through the firewall, you need to enable them by clicking the "Settings" button, and then selecting the programs, protocols, and services to be enabled for the ICF configuration.
5. Reboot the machine and reconnect to the network.
6. Install the patch from Windows Update at
http://www.windowsupdate.com, following any directions there.
7. Read and apply the clean up measures outlined in Microsoft's bulletin at
http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp 全球十几万台电脑遭蠕虫病毒"暗算"
一种通过互联网传播的电脑"蠕虫"周二让成千上万台电脑陷入瘫痪。这种病毒在全球迅速蔓延,专门攻击使用微软(Microsoft Corp.)Windows 2000和Windows XP操作系统的电脑。
这种被电脑安全公司称为"冲击波"(Blaster)或"LovScan"的蠕虫病毒利用了几乎所有Windows版本所共有的一种程序缺陷。蠕虫病毒是一种电脑程序,可以通过互联网进入电脑并自我复制,对所入侵的电脑系统造成破坏。
过去一年来,出现了一批专门攻击微软软件的蠕虫及电脑病毒,"冲击波"就是其中的"后起之秀"。微软已经发起反击,采用各种方式不断提升软件的安全性能。6月份,微软还收购了罗马尼亚一家防病毒软件开发商。
然而,"冲击波"蠕虫的出现表明,即便微软在其软件中发现了缺陷,它仍需采用更有效的方式提醒用户及时弥补缺陷。实际上,微软在7月16日公开披露了Windows的这一缺陷,并向用户提供了可免费下载的补丁程序。政府和业内人士此前已经广泛预计这一缺陷将成为某种蠕虫病毒的供给目标,并敦促电脑用户及时下载微软的补丁程序。
然而,这些警告和提示显然未能引起许多公司的技术部门以及家庭电脑用户的重视,结果全球各地都有电脑遭到"暗算"。安全软件开发商Symantec Corp.估计,截至美东时间周二上午,大约12.3万至12.4万台电脑被感染,而且该数字目前仍在继续增长。
Symantec Security Response的高级工程主管Alfred Huger说,"相对而言,此次的蠕虫病毒是迄今为止我们所见到的最具破坏潜力的一种。值得庆幸的是,这个蠕虫病毒程序编写得很糟糕,因此传播速度比较慢。"
尽管如此,"冲击波"还是给互联网用户制造了不小的麻烦。
纽约的Russ Panzer说,他家里的电脑和办公室的笔记本电脑周一晚间都被病毒感染。"这种病毒使我无法在网上停留足够长的时间来寻找修补程序,"他说,"这太让人沮丧了。为此我已经耗费了几小时的时间。"
"冲击波"会使被感染的个人电脑发出错误提示,在自动关机后又神秘地自动重启。重启后,这种病毒又会在互联网上寻找更多可攻击的电脑。这种蠕虫在寻找新的攻击对象时占用了极大的带宽,使电脑被感染的用户无法在微软或防病毒公司的网站上停留足够长的时间以下载操作系统的补丁程序或铲除病毒的工具。
电脑安全公司和电脑紧急应变小组协作中心(Computer Emergency Response Team Coordination Center)周二向这些心急如焚的用户就如何手动删除该蠕虫病毒提供了指导,这可以为他们在电脑再度被感染之前赢得足够多的时间,以下载微软的补丁程序。
