The new breed of Windows 2000 worms that emerged Tuesday have spread fast and have now infected an estimated 250,000 systems, security experts claim.

Infections are primarily of Windows 2000 systems being run in corporate environments, according to security vendor Computer Associates International. (CA).

The worms received widespread media attention after CNN reported that it had been affected by the problem, but on Wednesday representatives from companies that had been affected downplayed the level of disruption.

Worms aim at corporates

Because of the design of the worms, they have largely left home users unaffected and have instead focused on spreading within corporate networks, according to security experts interviewed Wednesday.

An undisclosed number of internal systems at telecommunications provider SBC Communications were affected by the worms, beginning late Tuesday, said Wes Warnock, an SBC spokesman, but the outages had no effect on the company's voice or data networks, he added.

American Express was also hit, according to company spokeswoman Judy Tenzer. "We did experience some issues with some of our computer desktops and much of that has now been resolved," she said.

The New York Times confirmed Wednesday that some of its systems had been infected, and ABC television network, a unit of Walt Disney, is also reported to have been hit.

Media frenzy as systems fail

While CA estimates over 250,000 systems have been affected by different variants of the plug-and-play worms, these attacks have received special attention because they have hit media outlets, according to Sam Curry, vice president of CA's eTrust Security Management division. In the past, lesser-reported attacks have hit similar numbers of computers, he said. "We see numbers climb out into the hundreds of thousands and it never gets attention," he said. "Who gets affected will influence how much publicity this gets."

CA is rating the viruses as a low to medium threat and most of its customers have not generally been widely affected by them, Curry said. "We have little to no escalations from customers that have been affected by it," Curry said. "We have no one saying, 'Oh my God I'm in trouble,' but we do have customers calling up and saying what do I need to know?"

However, McAfee Inc.'s antivirus response team raised its risk assessment to "high" for one worm variant, called IRCBot worm. Late Tuesday it said it had received more than 150 reports of the worm either being stopped or infecting users' PCs, mostly in the US but also from Europe and Asia.

By Wednesday, Symantec customers had reported just over 230 instances of the worms, the company said. This was far less than the thousands of reports that the company had received on highly publicized worm outbreaks such as last year's Sasser worm, Symantec said.

Patch those leaky Windows

It's certainly not a Sasser; it's certainly not a Slammer," said Russ Cooper, senior information security analyst for Cybertrust. "Our recommendation to our customers is to get patches applied within 90 days, because the normal mechanisms should prevent this from getting to your organization."

According to Cooper, the best way for corporations to protect themselves from these attacks is to ensure that they secure all the devices that connect to their networks. "These things are getting in through VPN (virtual private network) users or though home or travelling users," he said. "This is a common failing in organizations they have protection at a gateway, but meanwhile they let their home users connect via VPN."

The worms all stem from a vulnerability reported August 9 in Microsoft's Windows 2000 Plug and Play service. They will cause infected systems to reboot and infected systems are then instructed to download a variety of malicious software that is then used to attack other systems, antivirus vendors said.

Microsoft's Web page, "What you should know about Zotob", includes links to the patch and was updated Tuesday.