By Brian Krebs washingtonpost.com Staff Writer
Monday, May 3, 2004; 5:40 PM
A new Internet worm that infected hundreds of thousands of computers over the weekend picked up speed as people returned to work on Monday and turned on their infected PCs, security experts said.
The "Sasser" worm began spreading early Saturday morning, infecting or crashing computers that run the Windows 2000 and XP operating systems. The worm attacks systems that were not updated with software fixes Microsoft released less than three weeks ago to address security holes in Windows.
PCs infected with Sasser will either crash and restart repeatedly or start scanning the Web for other vulnerable computers to infect. The worm can infect unprotected Windows XP computers less than 10 minutes after they are connected to the Internet, said Mikko Hypponen, director of antivirus research at F-Secure Corp., in Finland.
"A day ago it took close to an hour, and it's only going to move faster as more American companies come online," Hypponen said. "We're at the point now where if you've waited this long to download the patches, you may not have enough time to get online and download the fix before it's too late."
Hypponen said most of the infected computers appear to be in Europe and Asia where the work week began earlier than in the United States. He estimated that "hundreds of thousands" of computers are infected worldwide. Atlanta-based Internet Security Systems estimated that the worm has infected between 500,000 and 1 million computers so far.
U.S. CERT, the Department of Homeland Security's cybersecurity monitoring center, issued an alert on Saturday urging users to protect their computers. A Microsoft Corp. official said that the company is working with a joint FBI-Secret Service taskforce to investigate the worm's origins.
FBI and Homeland Security officials did not return telephone calls seeking comment.
Unlike e-mail worms that are launched only when the recipient opens an e-mail attachment containing a virus, worms like Sasser spread to vulnerable computers without any action by the victim. Sasser wriggles into computers through a software hole in the Windows security program that decides who can gain access to a computer.
Network worms are an annoyance for home users, but they do their worst damage inside corporate networks. While Sasser does not appear to do any permanent damage to computers running the Windows operating system, it generates so much Internet traffic that it can overwhelm corporate networks with a flood of data as it tries to spread.
Antivirus companies initially considered Sasser a low threat because it was spreading slowly. But by Saturday evening, experts had identified a third version of Sasser capable of spreading 10 times faster than the original, said Joe Stewart, a senior security researcher for LURHQ, a security services company based in Chicago.