'Blaster' virus hits Windows

Wednesday, August 13, 2003

'Blaster' virus hits Windows

Computers shut down, but data not destroyed

By John Byczkowski
The Cincinnati Enquirer

An Internet virus from a hacked-off hacker is causing big headaches for computer users worldwide this week, though it appears to cause no damage.

"It's everywhere. I've even got it on my computer, which is frustrating," said Mark Games, a technician with Nerd Patrol computer services in Anderson Township.

"We're getting flooded" with calls from affected users, said Steve Pollak, CEO of PC On Call. He said his call volume has nearly doubled, and 90 percent of those are complaints about the virus. He's put on extra staff, and they're working overtime to keep up with the calls.

Cincinnati Children's Hospital Medical Center said only a few computers were affected by the virus, but the hospital had to shut down the network in several buildings to fix the problem. Patient care was not affected, said spokesman Jim Feuer.

Dubbed "Blaster" or "LovSan", the virus' code contains the admonition to Microsoft founder Bill Gates to "stop making money and fix your software!!," an agitated reference to the many security holes in Windows software - including the one that made this virus possible.

The virus causes infected computers to spontaneously shut down. Sometimes, a Windows error message will warn of the impending shutdown, saying "RPC service has unexpectedly terminated." The virus so far has not been found to delete files or destroy data. Scott Snodgrass of GI Defense, a computer consulting firm in Mason, said he saw an infected computer Monday night. The user would start the computer, "and in a minute and a half, (the virus) would shut her computer off," he said.

"It doesn't do any damage to the PC, but you can't work on it. It takes you out."

Blaster can affect computers running Microsoft Windows XP, 2000 or NT or Windows Server 2003. It does not affect computers running Macintosh, Linux, OS/2, or Windows versions 95, 98 or ME. Most vulnerable are computers with open connections to the Internet, such as corporate computers or home computers with services such as Time Warner's Road Runner or Cincinnati Bell's Zoomtown.

Computers behind up-to-date firewalls are generally safe, as are computers that receive frequent updates of Microsoft's Windows software.

Blaster exploits a Windows vulnerability announced by Microsoft in mid-July. The Seattle software company issued a security patch, which users must download and install from Microsoft's Web site.

If you've done that you're probably fine. If you haven't, you might not be. Blaster randomly searches the Internet for vulnerable computers. When it finds and infects one, it downloads a file, msblast.exe, that causes the shutdowns. As Blaster downloads the file and searches for other vulnerable computers, it can slow Internet traffic.

Blaster also contains a trigger to flood Microsoft's windowsupdate.com web site with traffic beginning Saturday. That could effectively shut down the Web site, making it nearly impossible for computer users to obtain the security patch.

At Cincinnati Bell's Zoomtown service, technicians noticed a spike in Internet traffic Monday afternoon aimed at the security hole in Windows. Zoomtown shut down that traffic, but has still been receiving calls to its help desk from users affected by Blaster, said Rick Wagner, Bell's director of network and systems engineering.

Likewise, Road Runner saw the traffic and shut it down, said spokesman Rob Howard. Both Zoomtown and Road Runner have posted links on their sites to help users battle the virus.

It's difficult to say how many computers have been affected, Bell's Wagner said, because "you really never know how many people go out and patch regularly, like it's recommended."

E-mail johnb@enquirer.com