Bank of America Corp. said it tried to patch SQL Server 2000, its Microsoft Corp. computer operating system, at least twice last year when Microsoft notified customers of security vulnerabilities.
"We got the patch in July and again in October," said Lisa Gagnon, a spokeswoman for the Charlotte banking company, late Monday. "We applied it, but it didn't work - or we could have missed some servers in the application."
The computer worm "SQL Slammer," also known as Sapphire, infected thousands of computer servers worldwide early Saturday morning. Bank of America's system went down, knocking out most if not all of its automated teller machines, its online banking system, and its customer call centers for most of Saturday.
B of A seems to have been the banking company most severely hit in the United States.
Even Microsoft's own computers were infected by the rogue worm, according to a story in The New York Times on Tuesday. Microsoft has been saying that companies that keep up with patches will be safe from viruses, hackers, and the like, but it failed to patch some of its own computers.
First Data Corp. of Denver, the largest processor of financial transactions and the owner of Western Union, was also hit by the worm.
Bank One Corp. of Chicago said its system worked fine because it had applied the patches when they became available, starting around midyear. The worm's only effect was to keep credit card customers from viewing their accounts online for part of Saturday, the company said. It outsources its credit card processing to First Data.
Nancy Etheredge, a spokeswoman for First Data, said her company's problems arose from not having a patch for Microsoft Data Engine, an application on its workstations and PCs that helps them work with SQL Server 2000.
"Though most of our SQL servers were patched using the patch released in June 2002, no patch was available for workstations/PCs running MSDE until early Sunday morning," Ms. Etheredge said in a late-Monday e-mail. "We believe the unpatched MSDE systems were the problem."
First Data was not "able to confirm any specific difficulty with statements viewed online for any of our clients," she said.
After a hectic weekend of patching Internet security holes, companies should watch out for new cyber attacks over the next several days, experts warned in a conference call with reporters Monday.
Experts said the renegade code exploits a security weakness in the SQL Server 2000, taking over a computer communications port to send copies of itself to vulnerable servers.
"I wholeheartedly expect us to see variations of this," said Edward Skoudis, the vice president of security strategy at Predictive Systems Inc., a New York computer security company.
As other hackers play with the code that caused last weekend's tie-ups on the Internet, "the new variations of this will be malicious," Mr. Skoudis said.
Predictive manages a data-security Web site, the Financial Services Incidence Sharing and Analysis Center, for financial companies. Predictive warned that the same worm could attack Microsoft Data Engine and through it banking companies' computer networks.
Security experts expressed some frustration that the source of the tie-ups was a known weakness for which several repairs were available. "Here is a vulnerability that has been known since July, and thousands and thousands of systems were not patched against it," Mr. Skoudis said.
