Bharat Puri's half-a-million-dollar headache began precisely at 10:19 a.m. Tuesday.
That was when the computers at Mr. Puri's company, Young & Rubicam Canada, registered the first instance of MSBlast, the latest software worm to threaten the stability of the Internet and force corporate information technology departments to spend what could turn out to be millions of dollars cleaning up the mess.
Mr. Puri, who is director of information technology at the Toronto-based company, said he lost nine person-days in his department as his staff spent all day and night cleaning out the computers used by the 500 Y&R employees in Canada.
Mr. Puri estimates that the total cost of MSBlast — in overtime, lost productivity and extra bandwidth costs — to be about $500,000.
"This is the worst one I've seen in the last three years," Mr. Puri said yesterday. "The bandwidth was through the roof and the network was slow as hell."
The worm that hit Y&R also infected hundreds of thousands of computers around the world. In Canada, the worm was detected and quickly eliminated on computer systems at Bank of Montreal, Bank of Nova Scotia, the Quebec Ministry of Transportation and at some Ontario court offices.
There were no reports that any data on those systems was at risk. In most cases, the infected computers were shut down temporarily while they were cleaned of the worm.
The worm exploits some characteristics of operating system software from Microsoft Corp. of Redmond, Wash.
"One of the issues with this particular worm is there isn't a lot of damage that it does to a machine. Generally, all it's interested in doing is procreating and spreading," said Tom Slodichak, chief security officer at WhiteHat Inc. of Burlington, Ont., a computer security firm. "It's a general nuisance for the Internet. It creates a lot of traffic and can slow down the Internet."
"Our concern right now is this might be the precursor to a really big one because it was very rudimentary in its design," said Rosaleen Citron, WhiteHat's chief executive officer.
As far as worms and viruses go, MSBlast posed little threat to individual users, say security software experts. It does not, for example, destroy any files on an infected machine or steal personal data stored on a computer.
Its sole mission is to reproduce, to find other Internet-connected computers it can infect.
Worms such as MSBlast, though, can be particularly nasty and pervasive bits of software code because they work with no human intervention.
A computer virus, on the other hand, cannot function without human intervention. Typically, with a virus, a user must open an e-mail attachment to activate it.
A worm, though, crawls across the Internet automatically, searching out vulnerable machines. MSBlast was looking for computers running certain Microsoft operating system software. Those operating systems include the latest consumer operating system, Windows XP, as well as the business-class systems Windows NT 4.0, Windows 2000 and Windows Server 2003.
But self-propagation is not the only thing the MSBlast worm is set up to do. MSBlast is also designed to launch a co-ordinated attack on a Microsoft Web site on Saturday. Every computer in the world infected with the worm — experts believe about 1.5 million computers were infected by yesterday afternoon — would send packets of information to the Microsoft Web site with the intention of overwhelming it and forcing it to shut down.
In fact, the MSBlast code contains instructions to launch the attack every two weeks between August and December forever.
MSBlast is aimed at http://www.windowsupdate.com, the Web site Microsoft uses to distribute updates of its operating systems.
Microsoft is preparing to defend that site from an attack and said it may set up an alternate or a mirror of that site.
"We can't be really specific on the exact tactics we're using. . . . But we're engaged at every level and with all our resources to make sure we're as resilient as possible," said Sean Sundwall, a Microsoft spokesman in Redmond.
A free download that can prevent infection and fix those computers already infected has been made available through Microsoft's Web site.
There is the chance, though, that some users — particularly those who use Windows XP — may not be able to stay connected to the Internet long enough to download the fix.
Security software experts say those users should physically disconnect their computers from any network, including the Internet, then manually delete some software files and adjust some other settings before going back on-line to get the free fix from Microsoft.
Detailed instructions on the manual removal procedure is posted on-line at http://www.cert.org, the Web site for the CERT Co-ordination Center, the U.S.-government funded agency that monitors computer security threats.
David Akin is national business and technology correspondent for CTV News and a contributing writer to The Globe and Mail.
In Pictures:
