The Daily Whim

The Daily Whim

Thu. Aug 14, 2003

Worms in the System

Worms in the System – You’ve probably heard about the worm, maybe even been hit by it (here’s some good directions for removal). Here at Bunker PD we’re protected by a dumb router that bounced the smart worm away, but that doesn’t mean I was unaffected by it. And that’s why I can state this particular part of this story is at least partially false.

“Atlanta-based Internet service providers EarthLink and said the worm did not cause problems for subscribers. EarthLink, the nation’s third-largest Internet service provider, protected its network against the worm Monday, said Greg Collins, director of network engineering.”

OK, well, it must have been very late Monday. You see, Susan bought her son a new Dell as a 21st birthday present, and it was delivered Monday. I set up that computer, and created the DSL connection via his grandparent’s Earthlink DSL account. In a bizarre quirk I learned while trying to set up my new computer earlier this year, Windows XP apparently will not successfully create a DSL connection unless you first create a dial-up modem connection. So that was Step One for me, and when I checked, by default, the connection had the Internet Firewall turned on. So when I then created the DSL connection, I made the mistake of assuming that it, too, would have the Internet Firewall turned on by default.

Bad assumption.

It was at least 5pm when I made the first log on to Earthlink DSL, but within 15 minutes, the worm hit the unprotected Port 135, and we were in Reboot City. So despite their claim, by the close of business Monday, Earthlink’s system was still propagating the worm. At that moment though, I’d only heard some brief rumblings about a new threat, so my thinking was, “we haven’t even set up an e-mail account or downloaded anything, how can it be a virus?”

Unable to stop the rebooting (I’ve since learned that > Run > ”Shutdown -a” will abort the countdown to reboot), I told Alex he’d have to get on the phone with Dell tech support and go through troubleshooting. Only when I got home was I able to research the specific error message, find out the true nature of the threat, and find messages from hundreds of people struggling with this worm. It was simply pure coincidence that Alex’s computer arrived, unpatched, on the very day this worm really took off.

Tuesday, I came back with the patch on a floppy, dewormed the computer, got his new virus software up to date, and scanned the system until it was sterile.

Relatively harmless, but a nasty little critter nonetheless. And devious, too: “One of the more unusual and ominous features of MSBlaster, in fact, is that it includes coding that is designed to launch a so-called denial-of-service attack on Microsoft’s Windows Update Web site—the same site where patches can be downloaded—beginning on Saturday and continuing through the year.”

Yep, on the 16th of each month, there will be attempts to swamp the Windows Update site, possibly complicating the efforts of those trying to download the patch. So if you run Windows XP and you haven’t patched your system, get it before Saturday.

Peanut Gallery

1  Matt McIrvin wrote:

My wife has become unofficial MSBlaster Tech Support for everyone she knows, and has developed a standard spiel about how to use firewalls and apply security patches. Most people, it develops, have no idea what Windows Update is or does, and just ignore the update notices. People are getting hit by this who insist they "never get viruses," because they've become conditioned to protect themselves well against e-mail viruses but aren't used to worms coming in through open ports. It reminds me of the Robert Morris Sun worm back at the dawn of time-- the first time I remember the Internet getting any mass-media publicity at all! And I'm thankful for our old SMC Barricade router/firewall, though neither of our computers were actually vulnerable in the first place.

2  PhotoDude wrote:

You've somewhat described me. I've never had a virus (3 computers, 7 years), and have run a firewall and/or router for the past 4 years. I'm very aware the Internet can be a bad 'hood, so much so that I turned off the pop up alerts my firewall would give whenever someone/something tried to probe my system, because they happen all the time. So I was pretty flummoxed by this one, due to the unique circumstances. I was setting up a brand new virginal system, and I thought I'd set up a firewalled connection. We'd ordered both McAfee and a year of updates so he'd be protected but, of course, the reboot problem started before I had a chance to download the latest virus definitions and scan engine update. To my knowledge, I had a virginal system with only the orignal software and a firewalled connection that had never even been pointed to any mail server. Whatever problem it was exhibiting just had to be a configuration problem with the new system. And though I was wrong, in a way, I was right. How much extra trouble would it be for Dell (and other manufacturers) to install Windows XP, and Service Pack 1, and Critical Windows Updates that had been released prior to the computer's burn in period just before shipping? How hard would it be to not only do that, but use it as a distinguishing competetive selling point? “Your computer will have the latest updates available the day before it ships, not only to insure our customers receive the very best service, but because it's a matter of national security.” I mean, it's a big bandwagon, might as well hop on board. More pragmatically, how many man hours have been expended in businesses and homes over the past three days dealing with this worm (I can personally account for about three, including driving time)? Imagine if today, you saw a commercial that simply said, “Any Acme computer bought after July 17 should be unaffected by the new LovSan worm, because Acme ships updated systems. And if you bought an Acme computer prior to then, we are mirroring the patches you need at” How many frustrated victims would remember that the next time they buy a computer? Dumb bunnies. And speaking of which, I have to admit I haven't been very good about using Windows update. When I got my new system in February, I went ahead and downloaded the available updates. I then proceeded to ignore the pop up window for updates until June. And after this week's debacle, on Tuesday I updated again. There are certainly people who simply ignore the updates, and I imagine for those on dialup connections, it can be a real pain to download them. But Microsoft propagates some of the reluctance themselves. First, the fact there's a need for so many security related updates doesn't exactly inspire confidence. And second, the patches themselves aren't always stable. In researching this particular case, it appears that the patch released on July 16 caused problems for a lot of people, and thus, in others, a reluctance to download it. Now everyone appears to be using the August 1 patch with no problems ... yet the July 16th patch is still on their site. It sets up a bit of a duality; I want my computer to be up to date, but I want it to be stable, too. The best advice I've read was from someone who suggested checking to see what updates are availble, and then Google the unique id number each update has. Problem patches should show up quickly in Google results, as people complain about it.

Comments are closed for this article
Contact me to find out more