Internet worm spreading rapidly
But damage around the world limited so far
By Daniel Sieberg
CNN Technology Correspondent
(CNN) -- A new computer worm spread rapidly through the Internet on Tuesday, exploiting a Microsoft vulnerability security experts have warned about for several weeks.
Damage to corporate networks and home computers has been limited at this point, observers said, mainly because security experts have been bracing for this type of attack.
About 188,000 individual computers were infected worldwide as of Tuesday evening, said Alfred Huger, senior director of engineering for security response at Symantec, maker of the popular Norton AntiVirus program.
"Those infected computers are now scanning other machines around the world," Huger said.
This worm, however, is slower than others because its code was poorly written, he said.
"We're seeing a 35 to 40 percent decrease in new activity, but we think this is more due to the fact that it's poorly written. We don't believe it's coming close to exhausting its targets," Huger said.
Computer security experts fear other hackers will improve upon the current worm's code, unleashing an even more disruptive worm.
Offices of the Maryland Motor Vehicle Administration closed down statewide at noon Tuesday. A statement on the agency's Web site said a computer virus had disrupted its computers.
It's not clear if that shutdown was the work of the latest worm. Representatives of the MMVA did not immediately return calls for comment.
The agency's offices were expected to be open for business as usual Wednesday, the Web site said.
Working with Microsoft, the Department of Homeland Security since mid-July has twice issued warnings to Internet users about the flaw. Security software firms have also been sending out alerts.
Dubbed "LoveSAN" or "MSBlaster," the worm does not use e-mail to send itself. Rather it is considered self-propagating, meaning that it independently searches for unprotected computers to infect.
Because of its invisible nature, users may not be aware of its existence.
If a machine is sluggish or crashing, it might be infected. In some cases, computers are forced to reboot. Otherwise, people will need to search for specific files and clean their system; details are available on most security firm Web sites.
Microsoft operating systems that are affected include newer versions such as Windows 2000, NT 4.0 and XP. Users must download a Microsoft patch in order to be protected.
The worm does not allow remote access by a hacker, though security experts said a variation on it may make that possible in the future.
Network Associates (McAfee) and TrendMicro list the worm as "medium" risk. Symantec gives it a 4 out of a possible 5 on a scale of its threat potential.
"MSBlaster" is considered a time bomb. Its code directs infected computers to assault Microsoft's support Web page with a barrage of requests beginning this Saturday.
This type of attack is referred to as "denial of service." The attacks are also programmed to occur any day from September to December, then the 16th to the 31st of each month starting next year.
Because this hole in Microsoft's software was first reported nearly a month ago, experts believe that most large corporations have managed to defend themselves by installing the necessary patch. Internet service providers are also now working to slow its movement.
Some tech analysts worry, however, that if "MSBlaster" is able to find enough vulnerable computers, its spread could slow the performance of the Internet by bogging it down.
While a few users might notice poor Web access, CERT's team leader for incident handling said the Internet overall is holding up well -- so far. CERT is a center of Internet security expertise based at Carnegie-Mellon University in Pittsburgh.
"This is very serious," CERT's Marty Lindner said. "People need to patch. That's without a doubt. But in terms of the overall pain the Internet backbone is seeing, I don't think it's very much."
Where the worm came from is unknown at this point.
An FBI spokesman said the bureau's cyber division is seeing what can be done to trace the worm's origins.
The spokesman said the FBI "we are looking at it." He said he could not speak about the extent of the damage at this time.
One small clue might be that the worm's creators seem to have a sense of humor.
According to security firm TrendMicro, the following message aimed at Microsoft's chairman Bill Gates is embedded in the text:
"I just want to say LOVE YOU SAN!! Billy Gates why do you make this possible? Stop making money and fix your software!!"
Lindner said that while the new worm needs to be taken seriously, he doesn't believe it's cause for massive alarm. "I don't think the world's coming to an end."
He said security experts will continue to monitor its progress for significant changes.
The worm exploits something called a buffer run overflow, allowing hackers to overwhelm a program.
To download the patch, people are asked to visit windowsupdate.microsoft.com -- the same site the worm's denial-of-service attack will attempt to shut down Saturday. The site works only with Microsoft Internet Explorer 5.0 or higher.
Due to the number of people now attempting to get the patch, Microsoft's site was slow to load Tuesday.