BOXBOROUGH, Mass. – A new network worm that targets a well-publicized vulnerability in Windows servers and workstations has infected hundreds of thousands of computers worldwide and even shut down Maryland's Department of Motor Vehicles for an afternoon. But the Internet traffic jam caused by the so-called Lovsan or MSblast worm can be avoided. "Remember, Microsoft had the patch for this particular worm released almost two weeks ago," said Dan Sheehan, senior security consultant for Vibren Technologies, a Massachusetts-based provider of IT security for several Fortune 100 clients, including financial institutions, as well as several credit unions. Quietly spreading without the benefit of e-mail, the worm attempts to enter a specific port in Windows systems to download and run a file called msblast.exe. Credit Union Times contacts were reporting at press time computer problems that they suspected were related to the worm. Its other name comes from some dialogue that often accompanies its trail: "I just want to say LOVE YOU SAN!! billy gates why do you make this possible ? Stop making money and fix your software!!" (SAN is a possible reference to the SANS (SysAdmin, Audit, Network, Security) Institute, a well-respected cooperative research and education organization.) The security community had been anticipating the outbreak since the well-publicized vulnerability was announced a couple weeks ago and Microsoft made available a patch. The worm scans Internet addresses to locate vulnerable Windows machines. It then copies itself over and modifies the system so the worm will be executed every time the machine is started. It also restarts infected machines; on some occasions, the worm restarts the machine repeatedly, as often as once a minute. The result can be server and workstation shutdowns and Web site downtime. "I've heard that it has affected several financial institutions," Sheehan said Aug. 13. Niels Taylor of CU Defense, the security arm of Internet banking vendor PM Systems Corp. in Chapin, S.C., said there had been no inquiries about the Blaster worm from his firm's clients. "Most credit unions that we deal with have well-configured firewalls, which will not allow these ports," he said. "We sent an e-mail to customers advising them of this when Microsoft issued a security bulletin. We also encourage all our customers to sign up for the MS Security Bulletin Service," Taylor said. Sheehan, meanwhile, said he is advising any affected users to update their anti-virus platforms and "push down the updates to the client machines. They then need to remove the worm and patch the infected systems." He also would advise reviewing "firewall rules sets to ensure that they don't allow the ports mentioned into the network," he said. "Unfortunately, the worm can get into the enterprise via VPN (virtual private networks), laptops, unsecured remote access and multitude of other avenues. "This comes down to security policies and procedures and how they are enforced and practiced within the client's network, said Sheehan. -

[email protected]