Spreading Internet worm shuts down MVA

A stealthy Internet worm infected more than 1 million computers yesterday from Glen Burnie to Hong Kong, knocking home computers off-line and crashing corporate networks even as it taunted Microsoft chief Bill Gates for weaknesses in his Windows software.

All 24 offices of the Maryland Motor Vehicle Administration were shut down by the infection by noon, sending more than 700 customer service workers home and turning away hundreds of people looking to renew licenses and vehicle registrations.


Other victims reporting computer crashes or slowdowns included BMW, the German car manufacturer; Long & Foster, a regional real estate company with headquarters in Virginia; and the San Francisco Chronicle newspaper.

Holly Price, a real estate agent with Long & Foster in Eldersburg, said her office couldn't access its database of homes listed for sale: "Business can be done but it's limited. People understand. This thing is bigger than us."


Millions of unprotected personal computers remain vulnerable to the worm, which can infect any machine connected to the Internet, experts said yesterday. Unlike many computer infections, no e-mail message is needed to carry this worm.

Art Manion, an Internet security analyst with the Carnegie Mellon University's Computer Emergency Response Team Coordination Center (CERT) in Pittsburgh, said 1.4 million computers had been infected as of last evening.

"It will probably reach some equilibrium by night," Manion said. "But that number is probably the minimum."

"It's likely that people who have not turned on their computers yet will discover that they have already been infected if they do not have the Microsoft patch, a firewall of some sort or anti-virus program installed," Manion said.

Dubbed Blaster, MSBlaster or the LovSan because of a love note it leaves behind on unprotected computers, the worm exploits a serious flaw in the Windows operating system, which Microsoft Corp. first warned about last month.

As companies and Internet technicians scrambled to restore order yesterday, Microsoft said it was preparing for an annoying sequel to Blaster expected on Saturday. The worm has been programmed to direct all infected computers to launch an attack on the company's security-related Web site this weekend.

While experts called Blaster a relatively harmless worm that is more irritating than insidious, they also warned that new, stronger, meaner worms exploiting the same software flaws will likely follow.

"This worm is like somebody who wants to spray graffiti on the side of a building," said John Pescatore, vice president of security research for Connecticut-based Gartner Inc. "They don't want to cause you harm. They just want to create a lot of noise.


"Instead of just spreading itself, it could spread itself and delete everything on your computer," Pescatore said. "This is only the first worm. The next one will be worse. It could do more dangerous things then just slow down your computer."

Microsoft made a free patch, designed to correct the Windows vulnerability to infection, available on its Web site when it first alerted customers to the problem June 16.

But within two weeks, the Internet Storm Center at the SANS Institute, an information security research and education organization headquartered in Bethesda, began receiving reports about computers being infected with bots (short for robots) related to the Windows vulnerability. Bots allow attackers remote control of a system.

Then on Monday, the Blaster worm arrived. It was first spotted in the United States and quickly wriggled its way into unprotected Windows systems across Europe, Asia and Australia.

Computer experts said that many companies and home users probably failed to install the patch.

Most state and local agencies in Maryland escaped unscathed but the hapless MVA detected its internal computer system slowing down about 7:30 a.m.


The MVA usually processes 54,000 transactions a day - most of them did not get done yesterday.

"I'm unaware of the [Microsoft] patch being available," said David Hugel, the deputy chief administrator of the MVA. "I've talked to our IT people and we weekly update the virus protection we do have, and this just happened to fall between those points when we had updated it and we didn't have the [new] update available yet."

Hugel said the MVA is expected to open today, but the inconvenient shutdown aggravated many customers.

"I knew there was a reason the lot was bare!" said Frank Walker, 34, after he was turned away at the Glen Burnie MVA in his quest to pick up some driving records. "Its a little frustrating. But it happens."

Others were less forgiving.

One woman said she left work early to get to the MVA. Another, Carol Yowell of Ellicott City, said she left her daughter's bedside at Kernan Hospital to transfer her tags from Florida to Maryland.


"It's absolutely frustrating," Yowell said as she stood outside the main entrance. "You would think they would put a sign on the road or an announcement on the radio. This is just totally frustrating. I'll have to come back tomorrow."

Internet service experts were bombarded with calls for help from small businesses and individuals.

"We've gotten a bazillion calls about it," said Kelly McIver, sales manager for Carroll Computer Connection in Hampstead, which provides technical support for Windows users. "The office is full of computers that people have brought in. We're getting overwhelmed with them."

Geeks on Call computer service franchises in Howard and Baltimore counties said the volume of telephone calls for help was just "bananas."

"We have calls already booked into next week," said owner Laura McInerney. "We're getting to everybody as fast as we can. ... It's critical to keep your Windows patches up to date and keep your virus scanners up to date, but people still don't do it."

That's exactly what the creator of Blaster was banking on, experts said.


The worm attacks computers through a flaw in the part of Windows that allows computers to share files and control Internet traffic. Four versions of Windows operating systems are targeted: Windows NT, Windows 2000, Windows XP and Windows Server 2003.

Microsoft spokesman Sean Sundwall said the worm lays down a little file that forces a computer to be bumped off-line and then crash fairly frequently.

A note is left behind on infected computers that says, "I just want to say LOVE YOU SAN!" Researchers also discovered another hidden message that said, "billy gates why do you make this possible? Stop making money and fix your software!"

The infected computers are expected to begin acting like zombies Saturday, launching a coordinated attack to overload the Microsoft security service Web site and effectively barring users from downloading the tool they need to protect themselves from Blaster.

Microsoft is working to counter the attack, but with little idea of how many thousands or millions of infected computers there are, it will be a difficult task, Sundwall said.

"This is certainly a capable person who did this," Sundwall said. "In most cases, it takes about six to nine months for a worm to appear after a patch is released. This is certainly something that did occur quicker than we are accustomed to.


"It hasn't been as destructive or pervasive as it could have been," he added. "It took a shot at our chairman, but that's OK, we'll get over it. It's harder to have a sense of humor right now because of how busy we are trying to correct it."

This isn't the first time Microsoft has been attacked.

In January, a rogue program called SQL Slammer snarled operations of hundreds of thousands of computers, slowed Internet traffic and even disrupted thousands of ATM terminals.

Sun staff writers Stephen Kiehl, Jamie Smith Hopkins, Trif Alatzas, Laura Vozzella, Stephanie Desmon and Childs Walker contributed to this article.