All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
Reader's advisory: Wired News has been unable to confirm some sources for a number of stories written by this author. If you have any information about sources cited in this article, please send an e-mail to sourceinfo[AT]wired.com.
Friday's arrest of a Minnesota teenager who reportedly confessed to coding a variant of the Blaster worm provided little comfort to those who are still struggling to clear its contamination from their computers.
One virus writer may be off the Internet, but his creation still lives on inside the many infected machines that continue to spontaneously shut down and re-start, due to the effects of the worm.
"I'm glad they got the kid, but my machine is still cursed," said George Blackman, a Manhattan graphic artist. Blackman has been struggling with his "jinxed, voodooed and diseased" computer for the last week, not realizing that his machine had been infected by Blaster until news of the arrest broke on Friday.
Some Blaster-bedeviled users knew that the incessant rebooting that bewildered Blackman and others wasn't caused by the evil eye, but was the fault of the worm. But they said they were unable to stay online long enough to find out how to purge the infection from their machines.
"Every 10 minutes, a timer pops up on my screen and warns me the computer is going to shut down in 60 seconds," said Norma Valdrone. "Far as I can tell, it takes about 15 minutes to download the patch that would protect my system, so I guess I'm screwed."
Owners of infected machines can halt the shutdown routine that has made it impossible for some to obtain patches and removal software.
Security firm F-Secure offers a free deworming tool and has also outlined an eight-minute method to stop computers from rebooting and clear Blaster from systems.
According to F-Secure, when the dreaded shutdown timer and dialog window appears on the screen, users should click Start, select Run, type "shutdown-a" and press Enter. Then run the deworming tool.
Blaster first struck on Aug. 11. Eight days later, the Sobig virus was released and quickly flooded networks and inboxes with millions of spam-spew messages. Sobig has all but vanished for now, but Blaster and its variants are still quite active, according to security experts, who said that many users are still confused by Blaster.
"People are definitely struggling with this. I think Blaster got overshadowed by Sobig, and people weren't fully informed," said Chris Wraight of antivirus firm Sophos. "Blaster is still active on a lot of machines, and some home users just don't know what it is or how to handle it."
Sobig, which arrived in e-mail attachments, was a more visible worm than Blaster, which crawls quietly into computers through network connections.
Often the only sign users have that their machine is infected with Blaster is the appearance of a Windows XP system alert warning them that the computer is preparing to shut down.
"People are totally confused by this worm because the alert is a valid systems dialog," said systems administrator Guy Aitcherns. "They assume it's just another computer problem. Maybe one or two out of the three dozen people I spoke with had any idea their machine had been infected by a worm."
Infected machines also attempt to spread the worm to other computers via network connections. Since many users aren't aware their machines are infected, or don't know what to do about it, Blaster remains active.
On Thursday, security organization SANS posted an alert warning systems administrators that "the number of hosts infected by MSBlaster are not decreasing and stand at around 150,000. Network administrators are strongly advised to track down infected machines."
Even computers that were properly patched but were not protected behind a firewall fell victim to Blaster, adding yet more angst to the confusion.
"I know I don't have the worm, I did the patch and my antivirus software says I don't have it," wrote Virginia Fellers in an e-mail to Wired News. "But my computer keeps shutting down, so can you please explain what's happening before I throw the computer right out the window?"
According to Microsoft, when Blaster attempts to infect patched systems, computers may respond by crashing. The only way to keep that from happening is to run a firewall application.
"I feel like I'm fighting a losing battle," said Fellers. "I try to stay on top of all this security stuff, but by the time I boot one virus out the door the next one's already crawling into the window."
Several Blaster variants are already circulating on the Net. Last Friday Sophos researchers spotted the first copies of Blaster.E.
Blaster.E is functionally equivalent to Blaster.A, the very first incarnation of Blaster, except the new worm will now attempt to carry out a denial-of-service attack on the website of self-described German hacker Kim Schmitz, also known as Kimble.
Kimble is best known for being arrested on investment fraud charges, just hours before carrying out his pre-announced suicide, which he had promised would be broadcast "live and for free" on the Web.
Blaster.A was programmed to attack and take down Microsoft's software-update website, where users can obtain patches to protect against worms like Blaster. The attack was unsuccessful.
Blaster.E also contains this message embedded in its programming code. "I dedicate this particular strain to me ANG3L -- hope yer enjoying yerself and dont forget the promise for me B/DAY !!!!"
The original version of Blaster had a message chiding Bill Gates for allowing worms like Blaster to happen.
It's not known whether the same coder is responsible for all the Blaster variants, but experts believe that different virus writers are tinkering with the worm. On Friday, the FBI and the Secret Service in Seattle announced that they had arrested the author of Blaster.B, a more dangerous variant of the original worm.
According to a report by Reuters, Jeffrey Lee Parson, 18, of Hopkins, Minnesota, has admitted to coding Blaster.B.
On Friday Parson, described in the Reuters report as being 6 feet 4 inches tall and weighing 320 pounds, was arrested on one count of intentionally causing or attempting to cause damage to a computer.
According to an Associated Press report, court documents state that Parson's version of the worm infected at least 7,000 computers. Blaster.A is believed to have infected at least 500,000 systems in the first week after its release, according to antivirus software firms Symantec and Trend Micro.
The contents of Parson's website, t33kid.com, had been removed from the Internet by Friday afternoon. Google's caching feature reveals that Parson's site contained information and links to viruses created by Parson and others.
Security experts warn the next worm will soon be coming to a computer near you.
"Blaster was the same old thing with a different face," said John Riley of Mazu Networks, a network-monitoring company. "Sobig was also a different face on the same problem. Blaster was eclipsed by Sobig, and probably some time soon Sobig will also be eclipsed by the next big thing.
"You can't secure what you don't know and understand."
