Microsoft Defends Web Services Security In Light of Virus


Microsoft defended the reputation of its new Web services software Thursday, claiming that a virus targeting files used in its .NET Framework is actually based on an old Windows virus.

Antivirus vendors Wednesday reported a new "proof-of-concept" virus, called W32/Donut, that infects executable files created for Microsoft's Web services, which are expected to be released to the public in the coming months.

The virus was written using Windows code and is very similar to one that came out last March called W32/Winux, says Tony Goodhew, product manager for the .NET Framework. The Donut virus also could be written to infect other file types, Goodhew says.

"This is not a .NET virus," he says. "t's a Windows virus that infects .NET files. It's not running in the .NET Framework as managed code. It's not finding some hole in the security model and exploiting it."

However, researchers at Symantec and Network Associates say the Donut virus is a new virus that takes advantage of the .NET architecture.

"It's all positioning," Motoaki Yamamura, senior development manager at Symantec, says of Microsoft's claim. "This virus itself is a new virus, [even though only a small part of it--the part that targets .NET files--was written in the .NET programming language."

The virus, which affects computers running Windows 2000 and XP, was not detected by antivirus software until vendors included a definition, or fingerprint, for it in their products this week, says Vincent Gullotto, senior research director for Network Associates' Antivirus Research Team.

Microsoft and the antivirus vendors agree that the risk from the virus is extremely low because so few people have .NET software installed on their computers and because the virus can not spread itself.

In addition, the .NET software has mechanisms that would prevent it from running on a system, Goodhew says.

"Not only is there very little chance that it will ever propagate, but it also does no damage to the system," he says.

The .NET technology is designed to make software available as a service online to anyone using any device. So far, software developers are the only ones using .NET under a standard beta test program.

Copyright 2000 Reuters Limited. All rights reserved.

Republication or redistribution of Reuters content, including by framing or similar means, is expressly prohibited without the prior written consent of Reuters.

Reuters shall be not be liable for any errors or delays in the content, or for any actions taken in reliance thereon.