LoveSan crashes 124,000 PCs

CIOL Bureau
New Update

SAN FRANCISCO: An Internet worm called "Blaster/LoveSan" that attacks Windows operating systems spread across the globe on Tuesday, infecting and crashing home and office computers faster than technicians could install safeguards.

A computer security expert said the worm, which specifically targets computers running Windows XP and Windows 2000, could spread for a few days before tapering off.

At least 124,000 computers using Microsoft Corp., Windows software have been infected worldwide, according to a sample by Symantec Corp.'s Security Response sensor network.

"Corporate networks are getting hit pretty hard," said Alfred Huger, a senior director of engineering at Symantec. "Hundreds of machines are spontaneously rebooting throughout the environment."

Johannes Ullrich of the SANS Institute said the rate at which the worm was spreading seemed to be slowing a bit late Tuesday afternoon. SANS (SysAdmin, Auditing, Networking and Security Institute) is a security training and information organization based in Bethesda, Maryland.

Russ Cooper of TruSecure Corp., a security services provider in Herndon, Virginia, said peak worm activity had occurred between 2 a.m. and 3 a.m. eastern time on Tuesday.

Computers infected by Blaster scan the Internet looking for other machines running Windows that have an open security hole -- one that has not been "patched" or given a fix from Microsoft. The worm then sends itself to those computers.

Windows 2000 and XP computers in North America were getting scanned or infected after being connected to the Internet for an average of 25 minutes, Huger said.

Although, some corporate networks were slowed by the worm, no impact on overall Internet traffic was detected.

The worm, also called MS Blaster or LoveSan, surfaced on Monday in the U.S. and quickly spread, taking advantage of a security hole discovered last month in Windows 2000, Windows XP, Windows NT, and Windows Server 2003 operating systems.

Patches for the hole, except for Windows NT 4.0, which the company no longer supports, were put online by Microsoft.


The worm crashes some systems and infects others, but otherwise does no damage, Microsoft said.

"It's certainly not a good thing," Microsoft spokesman Sean Sundwall said. But, "it has not spread at the speed with which more notorious worms, such as Slammer and I Love You and Code Red, did."

That is because the worm was poorly written, according to Symantec's Huger, who said that new variations of it could be more virulent.

David Perry of Trend Micro, an anti-virus vendor based in Tokyo, noted that Slammer targeted SQL Server and Code Red targeted Microsoft's Web server program, which were used on fewer computers than XP and Windows 2000.

With Blaster, there are "100 million to 200 million machines that can be infected in the world, rather than a quarter of a million," Perry said.

Because Blaster does not spread through e-mail like worms typically do, most anti-virus software will not block it. However, anti-virus applications will let computer owners know if they have been infected and can help clean up the worm.

European and Asian anti-virus firms said they had heard from corporations were infected as their systems went online. Some government agencies in the U.S. reported widespread systems problems.

The state of Maryland closed 23 Motor Vehicle Administration offices at mid-day and the system was shut down to apply patches, said spokesman Jack Cahalan.

The computer network at Philadelphia's City Hall, was also hit by the worm, according to a city official. Stanford University said 2,500 computers were infected and a Department of Homeland Security spokesman said there were sporadic reports from federal agencies of computers hit by the worm.

The patch is available at

© Reuters