MSBlast spreads fast but impact is limited

NEWS The MSBlast worm is forcing IT departments to work overtime, but the damage seems to be somewhat contained, at least in the working world.

Click here for information on how to deal with the worm.

An existing patch, heightened security awareness and the relatively slow pace of the worm are combining to blunt the overall impact of the worm's spread, according to sources. Some companies have been forced to apply patches in the past 24 hours or inconvenience employees by temporarily taking them off the network, but significant damage is so far light.

"We've had sporadic reports of minor impacts, but by and large, the federal agencies continue to operate as normal," said David Wray, a spokesman for the US Department of Homeland Security. "This worm doesn't appear to be very efficient."

Similarly, the virus found its way onto Intel's computing network but was cleaned fairly quickly without causing damage, a spokesman said. Gateway, Rambus, Nvidia and IBM reported no significant problems. Some companies said the virus was caught and destroyed before it could enter the company network.

By contrast, EarthLink, a home Internet service provider, said that support lines were more active than usual today. Others said the same.

"We're hearing from a lot of customers, especially consumers who have been infected or want to know how not to be infected," a Dell spokeswoman said. Like other PC makers, Dell is helping customers apply a fix. "There has definitely been a significant increase in customer support calls."

So far, 1.4 million unique IP addresses "are acting as if they are infected" by the worm, which emerged Monday, said Art Manion, Internet security analyst with the Computer Emergency Response Team, which tracks Internet viruses.

That number might be high. Internet security company Symantec estimated the number of infected sites to be well below a million. The discrepancy exists because of the way these different organisations count IP addresses. Nonetheless, Symantec on Tuesday raised the severity level of MSBlast from a 3 to a 4 on a scale of 5.

The worm exploits a flaw in Windows that, if left unchecked, can crash a computer and/or use it to send malicious data to other machines.

Unlike many viruses, however, the warning about MSBlast appeared well before the virus. Microsoft revealed the flaw on 16 July and issued a patch the same day. The early warning allowed companies to patch many of their systems early.

"We're coming out fairly unscathed," said David Gregson, the information technology director for Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, a 1,000-employee law firm that's based in Boston. The firm patched its servers before the virus hit and, after it came out, moved quickly to patch desktops on Monday night. Gateway similarly performed final virus updating on Monday night, a spokesman said.

The University of Florida, meanwhile, was infected by the virus, but the problem was resolved fairly quickly, according to a source close to the university who did not want to be identified. Marketing and advertising firm Young & Rubicam's network was slow, and email service was sporadic on Tuesday until the company fixed the issue later in the day, sources at the company said.

Consumers, by contrast, are having a slightly harder time. Consumers generally don’t have information technology employees, and updating patches can be fairly sporadic. Unlike some other worms in the recent past that only infected servers, the MSBlast worm can infect desktops.

"It would appear that this is spreading relatively quickly," said Greg Collins, a network engineer at EarthLink, who added, "a lot of people don't look at updates."

Internet service providers Cox Communications and Comcast began screening out network traffic sent using specific ports -- essentially labels that describe the data type -- that the worm uses. Cox spokesman Bobby Amirishahi said his company's network traffic routers updated by 9 a.m. PDT, while Comcast spokeswoman Sarah Eder said her employer started blocking the ports at 9 p.m. Monday.

In addition to the network changes, Cox and Comcast took on additional technical support activities outside the scope of what the companies usually offer their customers, the representatives said. Both companies said they had subscribers who were affected by the worm.

Additionally, Windows XP, which is more widespread among consumers than anywhere else, can be more vulnerable to the worm because of the way the operating system can be configured, Manion said.

Unlike Windows 2000 computers, some Windows XP machines will crash 60 seconds after being infected. Consumers are thus finding themselves racing the clock, trying to load the patch before the crash, Manion added.

The world shouldn’t breathe too easily just yet. Wray and others warned that variants of the virus that spread more rapidly could emerge in the near future.