Software Notebook: Live on television, a worm attacks

Wolf Blitzer was in crisis mode, warning computer users to protect themselves. Paula Zahn started her program by reporting on crashing PCs in the CNN newsroom. And Charles Gibson talked about needing to use ABC's old typewriters.

The latest Windows worm, Zotob, was notable in part because its victims included some major media organizations. Although a variety of businesses were struck by the worm, it created a particularly challenging situation for the broadcast media, which found itself reporting in real time on a problem that was hitting very close to home.

The result last week was an unusually large spotlight on the security woes that have hampered Microsoft's software.

Cue the CNN music.

"We are continuing our coverage of tonight's big story: A computer worm that is spreading havoc in systems all over the world," Zahn told viewers at the outset of her Tuesday show, according to a CNN transcript. "Here is exactly what we know right now: Someone has unleashed a worm that cripples computers by forcing them to continuously shut down and restart. It's been a wild scene around our newsroom today because of that."

Earlier, on CNN's "Situation Room," Blitzer had called the worm a "potentially huge story."

And on "Good Morning America" the next day, correspondent David Muir reported that the Zotob worm and its variations had "already paralyzed hundreds of thousands of computers using Microsoft Windows," according to a transcript. Program host Gibson had explained to viewers earlier that ABC was among those affected.

Ultimately, the spread of Zotob and its variants wasn't nearly as dramatic as some of those initial reports might have made it seem. In fact, one analyst said the way the worm fizzled showed the progress Microsoft has made in securing its widely used programs.

"They've got a long way to go, but they are doing a lot better than they were," said Paul Stamp, a Forrester Research security analyst.

Other portions of the coverage were overstated. At one point, for example, CNN reported that home users might want to shut down their machines, just to be safe.

As it happened, the effects of the worm were limited to machines running Microsoft's older Windows 2000 operating system, so that advice wouldn't apply to most home users, said John Pescatore, vice president for Internet security at Gartner Inc. Primarily businesses were affected.

But that was early in the incident, when details were still coming in, and it might be hard to blame CNN for advising its viewers to be cautious.

"We were covering breaking news while experiencing breaking news, which is a challenging thing to be doing," CNN spokeswoman Laurie Goldberg said.

In fact, in some respects, the urgent tone of the coverage may have helped, said David Perry, director of education with antivirus company Trend Micro and one of the experts on Blitzer's show Tuesday. Reports of a spreading worm may have caused corporate systems administrators to jump into action to apply the patch that Microsoft had supplied the previous week.

"There was a lot of activity because of the media reaction to it," Perry said in an interview Friday. "If the CEO sees the alert on TV, he calls down and says, 'Take care of this right now.' "

And quick action was a good thing under the circumstances.

"If you were an enterprise that was attacked by this worm, the pain was very real," said Debby Fry Wilson, director of Microsoft's Security Response Center. "There was disruption of the network and a big investment in terms of getting everything back to a recovery state."

The actual effect of the Zotob worm on individual machines was similar to that of the previous Blaster and Sasser worms, Wilson said. Those earlier worms caused widespread problems.

But the rate of infection was much lower this time around.

One reason was the fact that it was limited to people using Windows 2000 machines not patched with the latest update or not protected by a firewall. It didn't affect the larger number of people running Microsoft's Windows XP operating system.

Wilson cited built-in protections in Windows XP that shielded it from the Zotob worm, including a firewall that was turned on by default in Windows XP Service Pack 2, Microsoft's big security update last year. In addition, the specific code vulnerable to the latest worm is in a position in Windows XP where it isn't exposed to outside attacks.

The Zotob worm "was fairly routine in nature, in terms of its scope and impact," Wilson said. "From that perspective, it was not what we would consider a significant security incident."

Microsoft has been trying to persuade companies and home users to pay more attention to security. Among other things, the company wants people to use its automatic updating service to quickly detect and apply security patches when they're available.

From that standpoint, Wilson said, the disproportionate amount of media attention last week wasn't such a bad thing.

"There were some high-profile customers that were attacked by the worm," said Wilson, who also appeared as a guest on Zahn's show. "That made the situation somewhat of a news event, and that gave us an opportunity to help educate computer users about security measures."

By Tuesday evening, most of the computer woes had been fixed in the CNN newsroom, Goldberg said. During the crisis, the network forged ahead with no serious problem on air.

"To the regular viewer, they wouldn't have even known that it was happening," she said, "except that we were reporting it."

Some advice from Microsoft and Internet security experts:

Use a firewall. Windows XP Service Pack 2 includes a free one. Free firewalls also are available from other companies, such as Zone Labs and Sygate.

Use and run anti-virus software, and update it frequently.

Keep your computer up to date by applying security patches when they're issued. Microsoft suggests using the company's Automatic Update service for direct delivery of patches.

Microsoft's removal tool for Zotob and other malicious software: www.microsoft.com/malwareremove.

Microsoft's security homepage: www.microsoft.com/security.

Software Notebook is a Monday feature by P-I reporter Todd Bishop. He can be reached at 206-448-8221 or toddbishop@seattlepi.com.

Add P-I Business headlines to