Educators who use Windows-based computers at school or at home have an urgent new reason to patch a serious flaw that was discovered in nearly all versions of Windows last month: An internet-borne infection incapacitated tens of thousands of computers Aug. 12, snarling company networks and frustrating home users as it spread across the globe.

Security officials said the virus-like worm, dubbed “LovSan,” was part of a coordinated electronic attack that exploited one of the most serious flaws yet discovered in Microsoft Corp.’s Windows operating systems.

Maryland’s Motor Vehicle Administration shut all its offices at noon as technicians cleaned the agency’s network systems.

“There’s no telephone service right now. There’s no online service right now. There’s no kiosk or express office service,” spokeswoman Cheron Wicker said. “We are currently working on a fix and expect to be operational again in the morning.”

The worm, which causes computers to mysteriously restart, was first reported in the United States on Aug. 11 and, while appearing not to delete files or otherwise incur permanent damage, knocked many computers offline. Non-Microsoft systems were not vulnerable.

Across Asia and Europe, it struck many businesses as they opened and workers logged on, spreading even without the need for user intervention.

Graham Cluley, a senior technology consultant with Sophos PLC in Britain, said his company started getting reports about the infection from Australia and then Europe.

In Sweden, internet provider TeliaSonera said about 20,000 of its customers were affected after the infection clogged 40 servers that handled internet traffic. Spokeswoman Lena Rosell said customers had their service restored by late morning.

Denmark initially reported limited problems, but “the tendency is rising, and we’re getting more reports of attacks,” said Preben Andersen, head of Denmark’s official virus watchdog agency, DK CERT. “There must be at least a couple of thousand PCs infected with this worm.”

Among companies affected in Germany was automaker BMW, said spokesman Eckhard Vannieck. The problems did not affect production, and the company expected it to be fixed by day’s end.

Computers infected by LovSan were programmed to automatically launch an attack Saturday, Aug. 16, on windowsupdate.com, a web site Microsoft uses to avail customers of software patches that can prevent such infections.

The infection was dubbed “LovSan” because of a love note left behind on vulnerable computers: “I just want to say LOVE YOU SAN!” Researchers also discovered another message hidden inside the infection that appeared to taunt Microsoft Chairman Bill Gates: “billy gates why do you make this possible? Stop making money and fix your software!”

Microsoft had posted a free patch on the web site to protect Windows users after it warned on July 16 about the flaw (see “Microsoft warns of critical flaw in nearly all Windows software,” http://www.eschoolnews.com/news/showStory.cfm?ArticleID=4514). Nearly all versions of Windows are affected.

The high-profile alerts issued by Microsoft notwithstanding, many businesses and school systems did not initially install the patches and scrambled Aug. 12 to shore up their computers.

“People are too laid back. Microsoft doesn’t do these warnings for fun,” said Cluley. “I think a lot of people have gotten into the habit of thinking viruses only come in via eMails.”

Symantec Corp., F-Secure Corp., and other anti-virus companies have free tools for removing the worm. All users, whether their computers were infected or not, should obtain Microsoft’s fix by going to http://windowsupdate.microsoft.com. They also should update any anti-virus or firewall products they have by visiting their vendors’ web sites.

S.C. Leung, spokesman for the Hong Kong Computer Emergency Response Team Coordination Center, said some home computers crashed, possibly a side effect of the infection, also dubbed “blaster.”

Individual users and small businesses appeared to be at greater risk than larger companies, which typically have firewalls that can stem such attacks. But once such a worm gets inside a firewall, unprotected computers are vulnerable.

South Korea’s Information and Communication Ministry said that about 1,900 cases of the infection were reported there.

Links:

Network Associates
http://vil.nai.com/vil/content/v_100547.htm

Symantec Corp.
http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html

F-Secure
http://www.f-secure.com/v-descs/msblast.shtml

Microsoft warning
http://www.microsoft.com/security/security_bulletins/ms03-026.asp

Government warning
http://www.nipc.gov/warnings/advisories/2003/Potential7302003.htm