By Brian Krebs and Jonathan Krim
Washington Post Staff Writers
Wednesday, August 13, 2003; Page A01

A fast-moving Internet worm gripped computers around the world yesterday, forcing shutdowns of government agencies, slowing corporate networks and threatening to disable the Web site where computer users can get software to stop it.

"Blaster" was not designed to destroy files and is not considered as devastating as some previous worms. But it was powerful enough to shut down the Maryland Motor Vehicle Administration, which closed at noon after its computers were infected. A spokesman for the Department of Homeland Security said the worm was having a "sporadic" effect on federal agencies' networks. Early yesterday it crashed the computer network at the U.S. Court of Federal Claims, sending some employees home. More than 500 computers at Georgetown University were infected, as were some machines in D.C. government offices.

Estimates of the number of computers affected varied widely, but the SANS Institute in Bethesda, which studies security, estimated that it was no more than 100,000. By contrast, the Code Red worm two years ago, which sought to attack the White House's Web site, affected about 340,000 machines, many of which powered networks of other computers.

Because Blaster mostly attacks the most recent versions of the Microsoft Corp.'s Windows operating system, experts say home computer users are at particular risk because they often don't keep up with the latest security procedures to protect their computers from online intruders.

The worm, which began spreading Monday, takes over vulnerable computers connected to the Internet and can force them to shut down. Once a computer is infected, the worm also installs instructions for a midnight Aug. 16 attack on Microsoft's Windows Update Web site -- the same site that users are encouraged to go to for downloading patches that would protect their systems from this worm and others. The worm then scans the Internet for other vulnerable computers.

Computers running on non-Microsoft operating systems, such as Mac OS or Linux, are not affected by the Blaster worm.

Worms spread through internal computer networks and the Internet, but unlike viruses, they are self-propagating and do not require users to open infected programs. Because Blaster, which affects different versions of Windows differently, keeps causing PCs running Windows XP to crash, experts said it may be difficult for many users to figure out how to get their PCs running smoothly enough to be able to patch their systems.

"The infection rate is still climbing, so this is far from over," said Jeffrey S. Havrilla, an Internet security analyst at the CERT Coordination Center, which is part of the federally funded Software Engineering Institute at Carnegie Mellon University in Pittsburgh.

Versions of Microsoft's operating systems, which are used on 95 percent of the world's personal computers, have persistently been dogged by security flaws.

Buried within the code of the worm are jabs at Microsoft founder and chairman Bill Gates, who made computer security the company's top priority 18 months ago after Code Red and other attacks began to push companies and governments to look to the offerings of competitors.

"Billy Gates why do you make this possible? Stop making money and fix your software!!" read one message.

Microsoft and the Homeland Security Department warned of the danger nearly a month ago, and the company offered a patch that users could download to thwart the worm and close a hole in Windows' "Remote Procedure Call" software. But many users did not respond to the warning until the worm took off this week.

If enough computers are infected and launch an attack on the Windows Update site, as the worm orders, the barrage could prevent users from being able to reach the service. Microsoft said it has taken steps to prevent the attack. The worm is instructed to continue attacks until Dec. 31, after which it will attack the update site on the 16th of every month.

Experts fear that refined versions of the worm could be released in the next several days by copycats.

"If someone writes a more efficient variant of this worm, and there's a very good chance they will, this thing could be with us for a very long time," said Alfred Huger, a senior director of engineering at Symantec Corp., which makes of security software.

The attack further fuels critics who argue that Gates's initiative to make his company's software much more secure is a failure.

"Microsoft has developed certain [security] capabilities that some people use, and they've made security more convenient," said Alan Paller, director of research at the SANS Institute. "If those worked effectively, they would be a powerful force. The fact that they don't says something about their follow through."

Windows XP , the newest version of the operating system, comes with an auto-update alert, but most home users never download the patches when prompted, and even fewer keep their anti-virus subscriptions current after the trial subscriptions expire, Paller said.

Paller said Microsoft's software has more features than rival programs, making security a more complex task. He added that the company's software for business has improved but security for consumer-based software remains lacking.

"They don't cover all systems," he said.

"They are desperately trying to avoid responsibility, and any legal liability that comes with that responsibility."

Michael Nash, a Microsoft vice president for security, disagreed.

"It's not a switch you can flip" so that suddenly software is more secure, he said. "It's something we strive to do better and better over time."

Nash said the Blaster case actually shows that the company's heightened focus on security is working. Acting on information from others in the industry, Nash said, the company rushed the software fix onto its Web site, which would inoculate the machines of users who downloaded it. But Nash said that only one-third of computer users use both firewalls and anti-virus software, and many often ignore software updates.

He said the patch has been downloaded 40 million times so far, with many users rushing to do so in the past 24 hours.

Brian Krebs is a staff writer for washingtonpost.com. Alan Paller, director of research for the SANS Institute, will join Krebs at noon today for a Live Online discussion of computer security.