Worm targets Gates with e-mail bomb

An e-mail worm that targets systems running Microsoft Corp.’s Internet Information Services (IIS) enlists infected machines in what appears to be a hacker’s vendetta against Microsoft Corp.

The worm, called DoS.Storm.Worm, seeks out and infects IIS systems that have not applied the proper security patches, said Vincent Weafer, director of Symantec Corp.’s Antivirus Research Center (SARC). Microsoft supplied patches for the problem in August of last year, but some companies apparently have not updated their systems with the fix.

The worm’s payload carries out a DoS (denial-of-service) attack on Microsoft’s Web site, and initiates an e-mail bombing session that sends obscene e-mail messages to gates@microsoft.com. Symantec was unsure whether Microsoft actually owns the e-mail address.

The worm follows the same pattern of several malicious programs that circulated this year. Hackers may just be looking for older bugs and exploiting users who didn’t install the patches to protect against them, Weafer said.

While the worm can prove troublesome, only a small number of companies are likely to be affected, Weafer said.

“I don’t believe this will be a significant threat,” he said.

Symantec said the DoS.Storm.Worm could cause a “medium” level of damage, in particular seriously degrading network performance by generating a flood of messages. But the number of current infections is low, and the worm can be easily contained, the company said. It said it hadn’t figured out yet where the worm originated or who is responsible for it.

To protect against the worm, users of Microsoft Internet Information Server 4.0 and Internet Information Services 5.0 should install a security patch to cover the “Web Server Folder Traversal” security vulnerability. The update can be downloaded at http://www.microsoft.com/WINDOWS2000/downloads/critical/q269862/default.asp/.

Symantec Canada, in Toronto, can be reached at


The worm alert can be found at http://www.symantec.ca/avcenter/venc/data/dos.storm.worm.html.