Microsoft pulls WindowsUpdate.com to avert Blaster

Microsoft Corp. has pulled the WindowsUpdate.com Internet address in an effort to thwart an attack on its systems by computers infected with the Blaster worm, the company said Friday.

Blaster, also known as the DCOM or Lovsan worm, spread quickly this week, infecting as many as 1 million computers, according to some estimates. Infected machines were set to stage a DOS (denial of service) attack on WindowsUpdate.com at midnight on Friday.

But Microsoft removed the target by killing the domain name, the company said Friday. Microsoft used the WindowsUpdate.com address to redirect Internet users to the software update site for Windows at windowsupdate.microsoft.com.

“WindowsUpdate.com is a nonessential address, so we just pulled it as part of our strategy to avert the worm,” Microsoft spokesman Sean Sundwall said. “That creates problems for the worm.”

Users can still get software updates by going directly to the Windows Update Web site that is part of the Microsoft.com domain. “The site is up and running, so people are getting their patches,” Sundwall said.

Internet users who type the WindowsUpdate.com URL (Uniform Resource Locator) in their browser get an error message. Microsoft has deleted the DNS (Domain Name System) information for the domain, and it no longer sends traffic to an actual Web site. DNS is the address book for the Internet, the system that maps text-based Web addresses to numeric IP (Internet Protocol) addresses. .

“The domain does not point anywhere, it is a dead URL. There are no plans to bring it back,” Sundwall said.

Dumping the WindowsUpdate.com domain name may keep Microsoft from having to cope with another DOS attack, but it does not stop the worm from infecting the systems of Microsoft customers, said Lloyd Taylor, vice president of technology and operations at Web performance management services company Keynote Systems Inc.

“It is a particularly elegant solution, but it does not stop the spreading of the worm,” Taylor said.

Computers infected by the worm were set to begin sending a constant stream of connection requests to the WindowsUpdate.com address at 12 a.m. local time on Saturday. Once launched, the attack would continue, unabated, through the end of December and begin again on Jan. 16, 2004, experts said.