The Lovsan worm that has been spreading since Monday has now activated around the world.

Windows 2000 and XP machines that get infected after this moment will try to launch a distributed denial-of-service attack against Microsoft's windowsupdate.com. Similarly, machines which were infected before midnight on 15th of August (local time) will start the attack the next time they are rebooted. This will continue until the end of the year 2003.

Microsoft made drastic changes in their Internet set up on Friday, changing the operations of their main servers. As to windowsupdate.com, they just surrendered.

"They figured out - quite correctly - that no web server could survive under the attack load generated by tens of thousands of infected computers. So Microsoft simply disconnected this server from the web and removed it's name from domain name systems" explains Mikko Hypponen, Director of Anti-Virus Research at F-Secure Corporation. "Windowsupdate.com will probably never return. So in this sense, the worm accomplished what it wanted: windowsupdate.com is no more."

As a result, the worm can't find a target address for the attack - and won't attack. The change was done so late that probably some affected machines still had cached IP address for windowsupdate.com and a limited amount of attack packets are going around the net - but not enough to cause disruption for the internet itself.

So, Microsoft sacrificed their server to save the rest of the net. Now there will be no floods of packets to overflow routers and switches at ISPs around the world. This probably was an easy decision for Microsoft, as windowsupdate.com was not used much.

The official address for Microsoft's Windows Update Service is windowsupdate.microsoft.com. This is also the address built-in to Windows 98, ME, 2000, XP and 2003. Most likely this was the address the virus writer tried to attack, but she made a slight mistake in the address (which used to be redirected to the same update service).

F-Secure estimates that the Lovsan worm to continue to spread around the world in measurable amounts at least until 2005.

Information on how to get rid of the worm as well as free tools are available at http://www.f-secure.com

About F-Secure
F-Secure Corporation is the leading provider of centrally managed security solutions for the mobile enterprise. The company's award-winning products include antivirus, file encryption and network security solutions for major platforms from desktops to servers and from laptops to handhelds. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since November 1999. The company is headquartered in Helsinki, Finland, with the North Amercan headquarters in San Jose, California, as well as offices in Germany, Sweden, Japan and the United Kingdom and regional offices in the USA. F-Secure is supported by a network of value added resellers and distributors in over 90 countries around the globe. Through licening and distribution agreements, the company's security applications are available for the products of the leading handheld equipment manufacturers, such as Nokia and HP.