Experts contain 'worm' that threatened computer systems
By Anick Jesdanun
NEW YORK A feared Internet attack resulting from a fast-spreading computer worm fizzled yesterday, as security experts said they contained it by identifying and blocking computers key to coordinating it.
Experts feared the program could have deleted files, stolen passwords or created rogue e-mail servers for spreading junk e-mail.
But when the appointed time came, all the worm did was initiate visits to a pornography site, said Vincent Weafer, security director with Symantec Security Response.
"There is nothing malicious, just a standard sex site," he said.
Also yesterday, Easynews.com, a Phoenix provider of newsgroup services, said it was complying with an FBI subpoena for information on an account used to distribute the worm. Easynews said the account appeared to have been created with a stolen credit card.
FBI spokesman Paul Bresson refused to comment, saying only that the agency was investigating.
The attack began with the worm attempting to reach one of 20 computers, mostly in the United States and Canada, to obtain information key to continuing. Infected computers were programmed to keep trying every Friday and Sunday between 3 and 6 p.m. EDT.
Anti-virus experts identified those computers and persuaded their Internet service providers to shut access to some of them.
"There's a potential risk for Sunday, but I think it's really mitigated," said Chris Rouland, vice president for research and development at Internet Security Systems Inc. "All the network operators are aware they need to block these (Internet addresses) now."
Keynote Systems Inc., which measures Internet performance, said the Net's main pipelines were holding up fine, but isolated congestion was possible because of higher-than-normal Internet traffic.
Mikko Hypponen, manager of anti-virus research with F-Secure Corp. in Finland, said users should clean their computers using anti-virus software anti-virus companies have issued free tools to do so or turn off machines if they cannot run the disinfecting software.
Users with firewall programs can also block UDP port 8998, which is the Internet opening the worm uses to communicate with the outside world. Experts say that doing so should have at most minor interference with other Internet functions and that many service providers were already blocking the port for their customers.
Already, Sobig.F has resulted in e-mail disruptions at several businesses, universities and other institutions. Sobig.F did not physically damage computers, files or critical data, but it tied up computer and networking resources.
The New York Times asked employees at its headquarters to shut down their computers for part of the afternoon yesterday because of "computing system difficulties."