HONG KONG — Computer experts tried Monday to determine if a viruslike attack on the Internet over the weekend originated in Hong Kong as the president of South Korea, the hardest hit nation, ordered officials to safeguard that nation's computer networks.
A U.S. Internet executive said by telephone that disruptions appeared first in Hong Kong before spreading to other Pacific Rim nations and then onto the United States and Europe.
The government-funded Hong Kong Computer Emergency Response Team was investigating but said it would be hard to determine the origin of the Internet attack, which shut down millions of computer users in South Korea and slowed or halted networks elsewhere.
"Checking the origin of the worm is like finding which part of a river a drop of water comes from," said S.C. Leung, senior consultant with the Hong Kong computer team.
Late in the day, Leung said the Hong Kong experts had not found evidence that the worm had come from here, but they also had not been able to rule it out.
The worm could have been timed for release during the Asian day and cropped up in Hong Kong when people began using their computers on Saturday, but that does not mean it was launched from Hong Kong, said Tom Ohlsson, a vice president at Matrix NetSystems of Austin, Texas.
"It appears that performance on the Internet seemed to degenerate (in Hong Kong) before we noticed it in the Eastern Seaboard," Ohlsson said.
The cyber terror response team at South Korea's National Police Agency launched an investigation, but team leader Yang Keun-won said it was unclear whether officials could locate the origin of the worm.
"We don't think the attack was pointed toward us, since the worm came from several countries including the United States, Australia and China," Yang said.
The Washington Post reported that experts who studied the worm have found references in its coding to Honker, a Chinese hacker group believed to operate in mainland China and possibly in Hong Kong.
Internet service in South Korea was "stable" though not at 100 percent early Monday, said Woo Do-shik, a spokesman for South Korea's Information and Communication Ministry.
South Korean President Kim Dae-jung "expressed regret over the incident and ordered related government agencies to promptly come up with restoration plans and establish tight contingency plans to prevent recurrence," said his chief spokesman, Park Sun-sook.
Even as some experts sought the origin of the worm, others expressed worries that too many system managers only fix problems as they occur, rather than install a strong defense ahead of time to prevent repeats.
The Sapphire worm exploited a vulnerability in some Microsoft Corp. software that was discovered in July and could have been stopped with software updates for its SQL Server 2000 software.
The system is used mostly by businesses and governments but many users had not updated their software with the patch in time to avoid the latest worm.
"There was a lot that could have been done between July and now," said Howard A. Schmidt, the No. 2 cybersecurity adviser to President Bush. "We make sure we have air in our tires and brakes get checked. We also need to make sure we keep computers up-to-date."
Two previous major outbreaks, Code Red and Nimda, also exploited known problems for which patches were available.
But system administrators have trouble keeping up with the numerous vulnerabilities that are reported, and patches can take time to install and sometimes cause their own problems.