COLORADO SPRINGS, Colo. — The LovSan TCP-layer infection spread like wildfire through global corporate networks on Tuesday (Aug. 12), rivaling the CodeRed worm with the speed and ferocity with which it took over remote dial-in accounts.
Initial patches from Microsoft Corp. for the Windows XP system proved inadequate, as the infection appeared to be able to override a variety of firewalls and Virtual Private Networks and crash client systems at will.
LovSan is unusual in that it does not infect client systems to the point of allowing them to infect others, though it does program clients to attack the Microsoft Web site.
One source at Cornell University called the new Layer 4 infection code "more like a prion than a virus," referring to the protein-only infectious biological agent believed to cause mad cow disease and scrapies, an infectious agent which has no DNA or RNA of its own.
The infection causes client systems to shut down and restart whenever a TCP/IP connection is made to a host server. A warning message states that problems in Remote Procedure Calls warrant a restart of the system, while Windows XP's own diagnostic software warns that Generic Process problems in the svchost.exe software invoke a system restart.
On Monday, the first day the infection spread to remote hosts throughout the U.S., users reported that they could remain online if they could log in to a VPN before the system shut down, a a one- to two-minute process. Many VPNs prevent such shutdowns.
Remote users with always-on broadband connections remained unaffected unless their client PCs went through a cold shutdown, since the infection only takes place when new TCP bindings are made.
By Tuesday, the infection was able to initiate a shutdown even within many corporate VPNs, prompting one IT manager at a Colorado storage company to call the program "everyone's worst nightmare."
The infection got its name from a message left on several infected servers, "I just want to say LOVE YOU SAN." It was unclear whether the message referred to a storage-area network. Another message inside the host code said "Billy Gates why do you make this possible? Stop making money and fix your software!"
