DoS worm invades Microsoft servers

A program created to automatically flood Microsoft's Web and email servers has been discovered on several corporate networks and may have spread further on the Internet, antivirus researchers said Friday.

Discovered this week, the worm -- dubbed DoS.Storm -- infects Microsoft Web servers and then scans for new machines to infect, floods Microsoft's main Web site with data, and sends a deluge of obscene email to an apparently invalid address for Microsoft Chairman Bill Gates.

"This is one of the trends that we are going to see more and more of: the crossover between the hacking and virus writing, and moving away from email-borne worms," said Vincent Weafer, director of software maker Symantec's antivirus research centre. The worm spreads by exploiting a known flaw in Microsoft's flagship Web server software, called the Internet Information Service (IIS). The vulnerability, dubbed the "Web server folder traversal" flaw, affects Microsoft IIS 4.0 and 5.0.

Although Symantec researchers found the flaw last October, the security hole had been fixed by a previous patch released in August 2000. Once it infects a server, the worm starts scanning 10 million Internet addresses, looking for more vulnerable servers to infect. The worm also initiates an attack on Microsoft, sending a flood of data to overwhelm its Web servers. Known as a denial-of-service (DoS) attack, almost 4,000 such attacks take place every week, according to a recent study. Microsoft Web sites were crippled by a series of DoS attacks in January.

In addition, the worm will send a constant stream of e-mail to "gates@microsoft.com" with the message "F**k you!" The address is believed to be invalid, causing the emails to bounce back to the sender. Microsoft representatives were not immediately available for comment.

Only a handful of Symantec customers have reported finding DoS.Storm, said Weafer, who does not expect it to spread far. "If people update their security patches, it should not be a problem," he said. "The crunch question is, of course, how many people have patched." Moreover, the worm's activities make it fairly easy to detect, he added. The program's search for other vulnerable servers combined with the deluge of data and mail tends to redline the capacity of most corporate network connection, tipping off even the most inexperienced system administrators. "Anyone with a good firewall and intrusion-detect system can see this thing easily," Weafer said.

Rival anti-virus company Trend Micro had no indications of the worm from its customers.

Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.