Breaking news: worm attacks CNN, ABC, The Financial Times, and The New York Times

August 17, 2005 Sophos Press Release

Message on Financial Times website
The Financial Times published a message on its website about the worm to its readers.

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have advised computer users not to panic, but to ensure appropriate defenses are in place, following media reports that a worm has disrupted business at CNN, ABC, The Financial Times, and the New York Times.

The worm is affecting computers which are not properly patched against Microsoft security holes such as the MS05-039 Plug and Play vulnerability. It is not immediately obvious which worm has caused the infection as a number of viruses use the exploit - including W32/Tpbot-A and W32/Dogbot-A, as well as the Zotob, Rbot and Tilebot-F worms.

Sophos, which has issued protection against all potential suspects of this outbreak, warns that such attacks are not unusual and that organizations unpatched against vulnerabilities can expect to be regular targets for virus writers, hackers and phishers. It also points out that more worms will attempt to exploit this particular vulnerability.

"The experts at Sophos are analyzing more and more pieces of malware which are exploiting this serious security vulnerability in Microsoft's code," said Graham Cluley, senior technology consultant at Sophos. "These type of attacks are becoming a standard part of the virus writers' armory. If you are responsible for network security inside an organization it's time to wake up and smell the coffee: you need to patch your systems now against these security holes or not be surprised when hackers and worms blast their way through."

The Financial Times has published a report on its website announcing it was infected by the worm, along with CNN, ABC and the New York Times. According to a CNN report the news organization was hit at 5pm on Tuesday in Atlanta and New York. Meanwhile, a spokeswoman for the New York Times said the newsroom and other corporate areas of the newspaper had been affected by a virus but that the problem had been rectified.

"Computer viruses don't discriminate: they will attempt to hit anyone with an unprotected computer, be they a home user in a back bedroom or a multinational corporation," said Cluley. "However, there is no need for panic or hysteria. Everyone should ensure that their anti-virus software automatically updates itself, that they have a strong firewall in place, and that they have installed the latest Microsoft security patches."

"These companies are used to delivering the news, not starring in the headlines themselves," continued Cluley. "This serves as a timely reminder to all businesses to treat network security as a priority."

Viruses, worms and Trojan horses that exploit the latest Microsoft vulnerability

More and more virus writers are exploiting the new MS05-039 vulnerability that Microsoft issued a patch against last week. The list of malware which uses the security hole to spread includes:

How to protect your computers

Home users of Microsoft Windows can visit windowsupdate.microsoft.com to have their systems scanned for critical Microsoft security vulnerabilities.

Sophos recommends that IT staff responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.mspx. Sophos advised customers to patch against the latest security vulnerabilities in Microsoft's software last week. The patch for the MS05-039 Plug and Play vulnerability can be found at on Microsoft's website. However, Sophos recommends that businesses also ensure they are protected against other vulnerabilities commonly used by worms and hackers such as:

LSASS (MS04-011) security vulnerability
RPC-DCOM (MS04-012) security vulnerability
MSSQL (MS02-039) security vulnerability
UPNP (MS01-059) security vulnerability
WebDav (MS03-007) security vulnerability

"The only good thing which might come out of this high profile worm outbreak is that more people and businesses may wake up to the importance of properly protecting their systems from viruses and internet worms," said Cluley. "All companies should take a long hard look at their networks and ask, 'could that have happened to us?'"

Sophos continues to recommend that companies protect all tiers of their organization - their desktops, servers and email gateways - with automatically updated anti-virus software to reduce the risk of infection.

Further reading: War of the worms: Malware fights for control of insecure computers