The worms--which appear to come from three families of code dubbed Zotob, Botzori and IRCBot--started spreading on Sunday without much fanfare. However, on Tuesday, computers at CNN and the New York Times became infected by one or more variants of the worm, and the public profile of the programs increased a notch.

The worms are all based on versatile attack programs, known as bot software, which have added the ability to spread via a flaw in Microsoft's Windows Plug-and-Play functionality. Several bot programs had incorporated the code to exploit the flaw late last week, and starting with the Zotob worm, began adding the ability to automatically find and infect systems by last weekend. As of Wednesday morning, at least 12 versions of bot software were using the exploit to spread, said Mikko Hyppönen, chief research officer for antivirus firm F-Secure.

"The situation is very complex because there are so many worms," said Hyppönen, who described the worms as "bots set to self replicate." Moreover, the worms have started targeting each other, he said. "These latest worms are actually fighting each other, like MyDoom, Netsky and Bagle. We are seeing the same thing (as those attacks), but with bots--it's a big bot war."

On Wednesday, F-Secure had captured a dozen different variations of the worms based on bots. Several versions, including two based on IRCBot and three on Botzori, attacked earlier versions of the worm based on the Zotob code. Symantec, which owns SecurityFocus, tallied seven variants of Zotob, two variants of Esbot, a version of Bobax and a version of Spybot that used the most recent Microsoft flaw. Antivirus firms frequently use company-specific names for the same threat.

The dozen variants of the Plug-and-Play worms are the first major programs since the Sasser worm to target a vulnerability in Microsoft Windows computers to spread. The Sasser worm started spreading on April 30, 2004, using a vulnerability in a Windows component known as the Local Security Authority Subsystem Service, or LSASS. While it's unknown how far the worm spread, a week into the outbreak Microsoft said that 1.5 million users had downloaded a cleaning tool for the worm. The Blaster worm had infected about 10 million users, according to Microsoft estimates.

The Zotob worms are versions of the Mytob worm that has been modified to use a flaw in Microsoft Windows' Plug-and-Play capabilities. The software giant had patched the issue on August 9, five days before Zotob started spreading.

The latest incarnations of the worm point toward competition between the groups, known as bot herders, that illegally create and manage the networks of compromised systems, or bot nets. Moreover, its no surprise that the groups have quickly latched onto the latest exploit, said Joe Stewart, senior threat researcher for security firm Lurhq.

"These guys have been pretty desperate for a new exploit for a while," Stewart said. "They had been using LSASS for too long, and been scraping the bottom of the barrel for exploits, so now everyone and his mother is now going to use this instead."

The Zotob worms compromises systems by sending data on port 445. If a computer is infected with the program, the worm starts a file-transfer protocol (FTP) server and attempts to spread further. The worm still has some bot functionality: Computers infected with the worm will join an Internet relay chat (IRC) session at a predefined addresses. An attacker who knows the IRC channel password can command the bot to disconnect or reconnect to the IRC channel, obtain system information, clean itself from the system, modify security settings, and download or execute files, according to an analysis of the Zotob.B worm.

The worms contain acknowledgments and a half-hearted threat aimed at antivirus firms:

Botzor2005 Made By .... Greetz to good friend Coder. Based On HellBot3. MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!

A side effect of a worm infection is that the compromised systems, almost exclusively Windows 2000 computers, frequently hang or crash. Multiple sources on security mailing lists described disruptions caused by the worm crashing computers.

Several divisions of the New York Times had to deal with the worm on Tuesday, including the newsroom and corporate headquarters, said spokeswoman Catherine Mathis.

"We did experience difficulties yesterday afternoon ... but it didn't affect production," Mathis said.

CNN also had systems affected by the worm.

"We were hit by it," CNN spokeswoman Laurie Goldberg said. "Because we have multiple systems in place, you couldn't tell we were hit on the air--we didn't meet a beat on air."

Disney and its ABC News division were also affected by the worms, CNN reported on Tuesday. A spokesperson from Disney could not immediately be reached for comment.

While the news organizations did not describe how the worms got into the companies, the delay between when the worms started spreading on Sunday and when the companies reported the attacks left some security experts speculating that some variant of the worms hitched a ride on workers' laptop.

"If you have a big enough network, you have to assume sooner or later some one will walk in with an infected laptop," F-Secure's Hyppönen said.

Despite a heightened public profile due to the infection of computers owned by media outlets, security professionals have downgraded their warnings for the worm.

The Internet Storm Center, a group of volunteers that monitor network attacks for the SANS Institute, reduced its threat level for corporate networks from yellow to green late Monday. In addition, Microsoft disputed that the worms were quickly compromising companies.

"We are not aware at this time of a new attack; instead our analysis has revealed that the reported worms are different variations of the existing attack called Zotob," the company said in a statement. "Microsoft has reviewed the situation and continues to rate the issue as a low threat for customers."

The company refused to comment on whether it would place a bounty on those responsible for the worms. Microsoft got its first success in pursuing those who release worms and viruses with the conviction of the author of the Sasser worm last month. Under the company's Anti-virus Reward Program, a $5 million initiative established by Microsoft in November 2003, a $250,000 reward will the given for information leading to the conviction of those responsible for the outbreaks of the Blaster worm, the Sobig virus and the MyDoom virus.

While the self-spreading bots have gained the attention of many network administrators, the more stealthy bots and Trojan horse programs should be a greater worry because they target sensitive information and may not be detected by even current antivirus, said Johannes Ullrich, chief technology officer for the Internet Storm Center.

"The more sophisticated bot software is more of a threat to most companies than the worms, because you don't know if your systems are infected," Ullrich said.

In fact, the latest bot-worm hybrids may be the picture of the future, he said. The next worms will also likely be built on bot software, because the code is readily available and the latest exploits for software problems can be plugged right in.

Lurhq's Stewart agreed, adding that the groups compromising systems to create bot software are less involved with the technology.

"These criminal groups are not changing the code a lot nowadays," Stewart said. "They are more like companies buying a software application--they are looking at open-source bots, and modifying them just enough to build their businesses on them."