A rapidly duplicating worm known as LoveSan, Blaster, or MSBlaster is spreading to Windows systems across the Internet. The worm exploits a vulnerability Microsoft fixed more than a month ago--the same remote procedure call (RPC) vulnerability that the US Department of Homeland Security warned about weeks ago, which makes the worm's spread all the more irritating because IT departments had the tools to stop the worm but didn't. The worm makes affected systems reboot, and its underlying code includes mocking attacks on Microsoft Chairman and Chief Software Architect Bill Gates.
"Billy Gates why do you make this possible?" the worm's code asks. "Stop making money and fix your software!!" Security experts who have examined the worm say that it also includes a Denial of Service (DoS) time bomb that floods Windows Update, making it difficult for users to get the software update that protects them from the worm. The worm scans the Internet for other vulnerable machines and propagates to those hosts. By loading itself on an ever-expanding list of hosts, the worm is able to spread more quickly over time.
Users who have applied Microsoft's security patch are spared from the worm's attack. In addition, the company is looking at ways to deflect the Windows Update attacks, which could last for months, security experts say. So far, however, most of the worm's disruption is a result of the Internet traffic it generates, not its ability to make machines spontaneously reboot. The worm appears to affect most Windows NT-based versions of Windows, including Windows XP and Windows 2000.