eEye Digital notes, "Chances are this worm would have not been discovered if we had not fully disclosed details about the .ida vulnerability, allowing Intrusion Detection System vendors to create signatures for the .ida buffer overflow attack.". Indeed, without the deliberate intrusion scanning the worm's presence would go largely undetected as IIS servers do not log requests until they have been processed.

While the worm exploits any language version of IIS, on English versions of NT/2000 servers it has an extra twist - defacing the websites to display:

Welcome to http://www.worm.com !

Hacked By Chinese!

It is not known whether the worm.com website was directly involved in any fashion, but as a precaution authorities have asked the ISP to remove the site. According to eEye Digital, "This worm only specifies www.worm.com in the initial HTTP GET request HOST: header and in the defaced page show on English (US) systems. This worm does_not_ connect to www.worm.com. This worm operates completely independent and can spread and infect systems without having a single point of failure. What that means is that this worm will be wild on the Internet until there is a _VERY_ high degree of systems that go and install the .ida patch."

Interestingly, Microsoft's own web servers may have been infected. One post to the Bugtraq newsgroup indicated the Microsoft Update site was displaying the Hacked By Chinese! banner and a check of the site indicated it was no longer accessible via the Web. If true that the site was affected, it lays to rest rumors that even Microsoft® doesn't use their own software.