By Arik Hesseldahl Summertime, and the living is uneasy for PC owners everywhere. As many as 11 variants of a computer worm bearing names such as Zotob, Rbot, and Drudgebot, have circulated in the last several days. All are designed to attack computers running Microsoft's (MSFT) Windows operating system.
Attention to the outbreak reached a peak Aug. 17 after computers at CNN (TWX), Disney's (DIS) ABC News, and The New York Times (NYT), among others, were struck by the worms (see BW Online, 08/18/05, "For Worm Writers, Speed Thrills"). Small wonder this scare has been magnified into a major media event, eclipsing previous -- and probably more dangerous -- incidents such as the attack of the Sasser worm and the Bagle and Netsky bugs in 2004. Security researchers think this latest incident has impacted tens of thousands of computers around the world, vs. the millions in other previous incidents.
How worried should you be? Here's an explanation of the worms and what you need to know:
Q: How does the worm work?
A: This outbreak followed the disclosure by Microsoft on Aug. 9 of the existence of a critical weakness with its Plug-and-Play feature in Windows, which allows certain devices to work with the computer as soon as it is plugged in.
The truth is, Plug-and-Play has long been vulnerable to a type of attack against it called a "buffer overflow," which happens when a program or process tries to store more data than it was designed to hold. When a buffer overflow happens, it creates a moment of weakness that would allow unwanted programs such as a worm to enter an open window of vulnerability to any PC running Windows.
Q: How did the worm spread so fast?
A: Hackers are getting better at attacking rapidly -- and that means corporate computer-security departments have to be on their toes like never before. The Zotob, IRCbot, and Bozori worms that have exploited this latest Windows flaw came out lightning-fast -- in as little as three days. That's down from an average vulnerability-to-exploit window of 6.4 days in 2004, according to security firm Symantec (SYMC).
IT-security experts warn that the Windows attack this week shows the so-called "zero day" attack -- when companies have no warning before viruses and worms hit -- could be very near. The upshot: When Microsoft or other vendors warn of vulnerabilities and offer patches, it's wise to download and install them immediately.
Q: My company has been hit with one of these worms. Should I be concerned that any of my personal information has been compromised, including credit-card information?
A: Not by these worms directly. However, if your computer is infected, the worms can leave open certain "back doors" making the computer vulnerable to other unwanted activity. This could compromise personal information. Not sure? Run a scan detector to determine if you have the virus. Microsoft is offering one on its Web site.
Q: Which versions of Microsoft Windows are affected?
A: Microsoft says that Windows 2000 Service Pack 4, Windows XP Service Packs 1 and 2, Windows XP Professional x64 Edition, and several versions of Windows Server 2003 are vulnerable. The company has posted patches on its Web site for download.
NT Workstation Version 4 is also affected, but Microsoft stopped supporting this operating system more than a year ago, so no patch has been issued. Certain older versions of Windows such as Windows 98, and Windows Millennium Edition are unaffected.
Q: Are Apple Computers (AAPL) affected in any way? Or computers running Linux?
A: No. Only computers running certain versions of Windows are affected by these worms.
Q: What about future worms?
A: It's a good idea to stay on top of all relevant security patches for your particular version of Windows. These are usually made available regularly and directly by Microsoft on its Web site.
Also, make sure to update any anti-virus software you have running -- that is, it has the latest version of virus-definition files. Usually, these software programs prompt users to update protection. All it takes is a click of the mouse.
All the major anti-virus software vendors have updated their definitions to detect and remove these worms. It's also important that firewalls protecting networks and individual computers are fully updated as well.
Hesseldahl is a reporter for BusinessWeek Online in New York