Lovesan worm attack succeeds and fails at the same time

Helsinki, Finland - August 16, 2003

Windows 2000 and XP machines that get infected after this moment will try to launch a distributed denial-of-service attack against Microsoft's windowsupdate.com. Similarly, machines which were infected before midnight on 15th of August (local time) will start the attack the next time they are rebooted. This will continue until the end of the year 2003.

Microsoft made drastic changes in their Internet set up on Friday, changing the operations of their main servers. As to windowsupdate.com, they just surrendered.

"They figured out - quite correctly - that no web server could survive under the attack load generated by tens of thousands of infected computers. So Microsoft simply disconnected this server from the web and removed it's name from domain name systems" explains Mikko Hypponen, Director of Anti-Virus Research at F-Secure Corporation. "Windowsupdate.com will probably never return. So in this sense, the worm accomplished what it wanted: windowsupdate.com is no more."

As a result, the worm can't find a target address for the attack - and won't attack. The change was done so late that probably some affected machines still had cached IP address for windowsupdate.com and a limited amount of attack packets are going around the net - but not enough to cause disruption for the internet itself.

So, Microsoft sacrificed their server to save the rest of the net. Now there will be no floods of packets to overflow routers and switches at ISPs around the world. This probably was an easy decision for Microsoft, as windowsupdate.com was not used much.

The official address for Microsoft's Windows Update Service is windowsupdate.microsoft.com. This is also the address built-in to Windows 98, ME, 2000, XP and 2003. Most likely this was the address the virus writer tried to attack, but she made a slight mistake in the address (which used to be redirected to the same update service).

F-Secure estimates that the Lovsan worm to continue to spread around the world in measurable amounts at least until 2005.

Information on how to get rid of the worm as well as free tools are available at http://www.f-secure.com

About F-Secure

F-Secure Corporation is the leading provider of centrally managed security solutions for the mobile enterprise. The company's award-winning products include antivirus, file encryption and network security solutions for major platforms from desktops to servers and from laptops to handhelds. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since November 1999. The company is headquartered in Helsinki, Finland, with the North Amercan headquarters in San Jose, California, as well as offices in Germany, Sweden, Japan and the United Kingdom and regional offices in the USA. F-Secure is supported by a network of value added resellers and distributors in over 90 countries around the globe. Through licening and distribution agreements, the company’s security applications are available for the products of the leading handheld equipment manufacturers, such as Nokia and HP.

For more information, please contact:

F-Secure Corporation
Mikko Hypponen, Director of Anti-Virus Research
PL 24
FIN-00181 Helsinki
Tel +358 9 2520 5513
Fax. +358 9 2520 5001
Email: Mikko.Hypponen@F-Secure.com


Media contact in the USA:
F-Secure Inc.
Heather Deem,
675 N. First Street, 5th Floor
San Jose, CA 95112
Tel +1 408 350 2178
Fax +1 408 938 6701
Email Heather.Deem@F-Secure.com