MSBlast worm infections slowing

The MSBlast worm's infection rate is slowing as companies and home users clean up compromised computers, according to anti-virus firms.

The worm is continuing to spread to new computers, but the rate of infection has slowed significantly. Since Monday the worm had infected as least 330,000 computers, according to Symantec.

Vincent Weafer, senior director for the company's security response team, said: "We had an exponential growth on Monday, but it has dramatically slowed down."

Far fewer computers may currently be infected with an active copy of the worm. Symantec's data does not take into account the number of infected computers that have been cleaned of the worm.

Unlike the more common mass-mailing email viruses, an internet worm like MSBlast spreads automatically, by exploiting weaknesses in computers that are connected to the internet. The worm uses a widespread Windows flaw that Microsoft warned about and patched a month ago.

People who have not applied the patch - by downloading it from Microsoft's Windows Update service or the company's web site - are the only ones vulnerable.

Security company Network Associates said it has received reports of infections from several hundred companies and PC users.

Vincent Gullotto, vice president of Network Associates' antivirus emergency response team, said: "We are seeing a continual drop off - Tuesday was the day it really had the opportunity to spread. Our process today is really focused on any problems that customers are having."

If true, the drop in the number of computers infected could be good news for Microsoft.

The primary payload of the MSBlast worm is a denial-of-service attack against the network from which most Windows users get their updates. If successful, the manoeuvre will frustrate efforts to patch the Windows vulnerability that the worm exploits. The strategy is also a way of simply harassing Microsoft; the worm's code contains a message for the company's founder: "billy gates why do you make this possible? Stop making money and fix your software!!"

Computers infected with the worm will start sending connection requests to the Windows Update service at midnight on Friday, according to the clock on a given user's computer. That will first happen in Russia, just over the International Date Line.

Not everyone agrees that the worm is going away just yet. Some organisations are seeing indications that the worm's spread is growing, or at least, that more people are becoming aware of the self-spreading program.

The Computer Emergency Response Team (CERT) Coordination Center, a clearinghouse for information on internet threats, continued to see about the same number of reports on Thursday as the previous day.

Art Manion, an Internet security analyst with the CERT Coordination Center, said: "It is really hard to say up or down. Reports are fairly steady. Our numbers are not good enough to say up or down."

The group previously said that as many as 1.4 million internet addresses had become the homes of computers infected by the worm.

However, Manion stressed that the numbers do not correspond to computers on a one-to-one basis. Many computers are connected to broadband providers that assign a different Internet address to a computer each time it connects to the network.

"We can't give any finer resolution than hundreds of thousands of computers," said Manion.

Anti-virus firm Trend Micro reported that reports of worm infections had jumped threefold overnight from Wednesday to Thursday, but acknowledged that PC users may have only recently realised that performance issues with their computers were connected to the worm.

Joe Hartman, director of North American anti-virus research for Trend Micro, said: "People say, 'OK, maybe I am infected,' and then they go online to check. We haven't seen all of it yet."

Hartman also stressed that it is very hard to estimate the number of computers that are actually infected at any given time, but believed that it's holding fairly steady.

"It isn't increasing all that much, because more people are using anti-virus software and are using firewalls," he said. As more people become protected, the worm has fewer places to go

Robert Lemos writes for CNET News.com