A fast-moving computer worm Tuesday attacked computer systems using Microsoft operating systems, shutting down computers in the United States, Germany and Asia.

Microsoft in 'emergency response' as worm reported on three continents

Wednesday, August 17, 2005; Posted: 11:02 a.m. EDT (15:02 GMT)

WASHINGTON (CNN) -- A fast-moving computer worm Tuesday attacked computer systems using Microsoft operating systems, shutting down computers in the United States, Germany and Asia.

Among those hit were offices on Capitol Hill, which is in the midst of August recess, and media organizations, including CNN, ABC and The New York Times. Caterpillar Inc., in Peoria, Illinois, reportedly also had problems.

A small number of computers in an administrative office at San Francisco International Airport also crashed, but they were not essential to the airport's operation, spokesman Mike McCarron said.

The FBI said the computer problems did not appear to be part of any widespread attack.

While the worm affects primarily Windows 2000, it also can affect some early versions of Microsoft XP, said Johannes Ullrich, chief technology officer of the Sans Institute, a network security firm based in Jacksonville, Florida.

Symptoms include the repeated shutdown and rebooting of a computer.

Microsoft has a downloadable patch on its security homepage, Microsoft.com/security.

The director of Microsoft's security response center, Debbie Fry Wilson, said the computer giant was in an "emergency response" mode. "Right now, we're mobilizing our two war rooms," she told CNN.

"The key thing I want to stress for customers is making sure that they install security updates as quickly as possible," Wilson said.

Although she said that the number of affected computers is unclear, most Windows 2000 customers are business users. And automatic security updates would have protected most home users, she said. Wilson added that "at least 200 million computer users worldwide" have downloaded the patch.

Business software provider AssetMetrix reported in June that Computers running Windows 2000 were on about half of all corporate desks.

Microsoft is working with law enforcement to track down those who unleashed the worm, Wilson said.

Lysa Myers, a virus researcher for the computer security firm McAfee, Inc., said the worm exploits a vulnerability in Microsoft's plug-and-play service. "How it's spreading is it's looking for machines that are unpatched and running itself," she said.

What was causing the damage was unclear, although experts pointed to a new worm called worm-rbot.cbq.

David Perry of Trend Micro, an Internet monitoring firm, said the latest worm may have been derived from the Zotob worm, which was first reported over the weekend.

Ullrich, of the Sans Institute, said Zotob "will connect to a control server to ask for instructions. It scans network neighborhoods and tries to infect them, as well."

Typically, the worm enters a system via a laptop connected to unsecured networks, Ullrich said. "This laptop will infect your systems from the inside."

Several versions of the worm have been released, some as late as Tuesday, he said.

Around 5 p.m. problems began at CNN facilities in New York and Atlanta before being cleared up about 90 minutes later.

The New York Times also was able to bring its systems back up, and "newspaper production will not be affected," spokeswoman Kathy Park said.

The White House said it did not have reports of computer problems.

Improved firewalls and faster patches may have limited the worm's spread, said Jeff Havrila, a technical analyst with the U.S. Computer Emergency Readiness Team, a coalition of public and private groups that combats computer attacks.

He also said it is unclear how long the worm may take to run its course, noting that many people are away on summer vacation and may be affected only when they return.