Filed at 10:43 a.m. ET
NEW YORK (AP) -- A virus-like Internet worm that had
crippled tens of thousands of computers over the weekend
caused limited network disruptions Monday as employees
returned to work.
Though the worm had been largely contained by Saturday
evening, security experts saw a slight increase in attacks
Monday as the work days began in Asia and Europe.
``There seems to be lots of computers which were off during
the weekend and are now turned on,'' said Mikko Hypponen,
manager of anti-virus research at F-Secure Corp. in
Finland.
Internet
Security Systems Inc. of Atlanta saw another wave begin
shortly after 9 a.m., corresponding to U.S. business
hours.
The latest attacks, however, were nowhere near in intensity
that of Saturday's outbreak, which had congested the network
for countless Internet users and even disabled Bank
of America cash machines.
Meanwhile, officials said Monday they still did not know
its origins.
``It's going to take at least a few days to (analyze) data
coming in,'' said Tiffany Olson, spokeswoman for the
President's Critical Infrastructure Protection Board. ``A lot
of times, this will take weeks, months, potentially years and
we may never know.''
The worm took advantage of a vulnerability in some Microsoft
Corp. software that had been discovered in July.
Microsoft had made software updates available to patch the
vulnerability in its SQL Server 2000 software -- used mostly
by businesses and governments -- but many system
administrators had yet to install them when the attack hit
Saturday.
As the worm infected one computer, it was programmed to
seek other victims by sending out thousands of probes a
second, saturating many Internet data pipelines.
Unlike most viruses and worms, it spread directly through
network connections and did not need e-mail as a carrier.
Thus, only network administrators who run the servers, not end
users, could generally do anything to remedy the
situation.
However, many machines may have been overlooked in the
repairs because they run related programs, Microsoft Desktop
Engine or Data Engine, that reside on individual desktops or
laptops.
``While the weekend focus was on servers, now the problems
persist in desktop machines,'' said Russ Cooper, a security
analyst at TruSecure Corp.
He said users can get rid of the worm by simply turning off
the machine, but he suggests users then contact their network
managers to prevent getting it again.
Chris Rouland, director of the Internet Security Systems'
X-Force research arm, said the biggest effect Monday was
primarily on specific corporations and organizations, unlike
Saturday when the Internet as a whole was disrupted.
The disruptions were greater in South Korea, where computer
security is generally lax, Rouland said.
Internet service in South Korea was ``stable'' though not
at 100 percent early Monday, said Woo Do-shik, a spokesman for
South Korea's Information and Communication Ministry.
South Korean President Kim Dae-jung ordered agencies to
come up with restoration and contingency plans, said his chief
spokesman, Park Sun-sook.
The weekend's Internet attack had security experts worried
that too many system managers are only fixing problems as they
occur, rather than keeping their defenses up to date.
Like the latest worm, two of the previous major outbreaks,
Code Red and Nimda, also exploited known problems for which
fixes were available.
``There was a lot that could have been done between July
and now,'' said Howard A. Schmidt, President Bush's No. 2
cybersecurity adviser. ``We make sure we have air in our tires
and brakes get checked. We also need to make sure we keep
computers up-to-date.''
^------
AP Technology Writer Ted Bridis in Washington and AP writer
Dirk Beveridge in Hong Kong contributed to this story.
^------
On the Net:
Microsoft fix:
http://www.microsoft.com/technet/security/virus/alerts/slammer.asp