Well-placed sources told ZDNet Australia that RTA employees were told to shut down their systems late yesterday while IT staff dealt with the infection within the road regulator's systems.
A spokesperson for the NSW RTA today confirmed that some office systems had been affected by the worm but insisted that their customer service systems were not impacted.
But the infection raises questions about how the worm, which exploits a security vulnerability affecting Windows XP and Windows 2000 systems, managed to reach PCs inside the RTA's network in the first place.
MSBlast -- dubbed W32.MSBlaster.worm by Internet security authorities -- is not like malicious e-mail borne viral code which needs human intervention to infect PCs and continue propagating to new victim systems.
MSBlast infects systems connected to the Internet and local area networks through their network connections. Once it has annexed one PC on the network it uses that as a staging spot to look for other vulnerable PCs online nearby.
It stands to reason then that the Windows security vulnerability existed on a system that the RTA had kept exposed to the Internet.
Microsoft publicly acknowledged the vulnerability earlier last month issuing a patch to repair the vulnerability July 17.
MSBlast stages its campaign to propagate to new victim computers by simultaneously attempting to connect to a number of randomly generated Internet addresses based on the address of its host system. It uses a penetration method identical to that of a popular hacking program. The program, known as dcom.c, attempts to use a well known vulnerability in a widely used component of a number of Windows operating system that allows other computers to ask it to perform an action or service.
The vulnerability is known as the DCOM RPC buffer overflow.
There have been numerous confirmed reports that the worm has crashed systems but its intended purpose was to precipitate a denial of service attack on Microsoft's on software update site.
Anti-virus software vendors say that the impact of MSBlast as been light in Australia -- however reports in the US confirm that it has infected at least 120,000 computers and has caused internal disruptions for many companies and Internet service providers.
