Companies Recovering Well After Computer Worm Attack

Companies cleaned up their computer systems Sunday after a fast-spreading worm shut down Web servers in an attack that slowed the Internet for users around the world.

South Korea, which has a large Internet population, was believed to be hit the hardest in the attack, which began early Saturday, spreading through network connections rather than e-mail as many viruses do.

The worm, dubbed “SQL Slammer” because it exploits a weakness in Microsoft Corp.’s Windows 2000 SQL server database software, did not delete or otherwise touch data.

However, it crashed servers and congested traffic on the global network for a few hours, slowing downloads by as much as 50%, according to Internet performance monitoring firm Keynote Systems.

But the most damaging attack on the Internet in 18 months was curbed faster than the Code Reds and Nimda worms of September 2001, as Internet service providers moved quickly to block traffic from infected machines, experts said.

Microsoft re-released a patch for the vulnerability, with software to make it easier to install than the original patch was, said Scott Charney, Microsoft’s chief security strategist.

Concern also shifted to desktop computers that may have some of the SQL code on them, such as Microsoft Desktop Engine 2000, according to Russ Cooper, a research expert at TruSecure Corp. He said Compaq Insight Manager, Dell Open Manager and HP OpenView also contain “mini SQL servers.”

Overall, industry experts said the Internet had weathered the attack very well.

Most services and sites were restored by Saturday evening, and security experts said Sunday that the problem was largely under control, though some worried of lingering infections when businesses reopen today.

The FBI said Sunday the attack’s origins were unknown.

During the attack, there was a 1 in 5 chance that e-mail wouldn’t get through or downloading information from a Web site would take one to two minutes instead of 10 seconds, according to Tom Ohlsson, vice president of marketing at Matrix NetSystems, an Internet performance monitoring company.

“In the final analysis, what we had was a major nuisance that was short-lived,” he added.

Infected systems can be cleaned up by just turning the system off and then back on, but companies are encouraged to install the Microsoft patch to prevent further infection or to configure their firewalls to block traffic coming into a specific communications port the worm uses.

Though the virus tapered off relatively quickly and Internet traffic was flowing smoothly, there were signs the worm was not yet dead.

“Right now, there are 120,000 IP [Internet Protocol] addresses out searching for systems to infect,” said Alan Paller, research director at the System Administration, Networking and Security Institute.

Statistics on companies and computers affected were not easy to obtain. The worm affected Bank of America and some of its automated teller machines.