kit designed for Korea are infected with the Nimda worm.
The company recommended that affected sites immediately install a special
program, available from its site, that is designed to clean the infected
According to Microsoft, the infected files contain an "inert" copy of the
Nimda virus, which is "extremely" unlikely to be activated by users.
In a bulletin about the incident, Microsoft said the Nimda infection
was detected in the compressed help files included in the Web
stress-testing tool that is shipped with the Korean language version of
Visual Studio .NET.
Visual Studio .NET is Microsoft's tool set for building XML Web services.
Pricing for the package starts at $1,079.
Citing a desire to "protect customers from the potential actions of any
malicious parties," Microsoft declined to provide detailed information
about the precise location of the virus and the steps required to activate
Nimda first stormed the Internet last September.
The complex worm, which targets vulnerable Windows desktop systems and
servers, uses several methods to spread.
Microsoft said the Nimda-infected help files are part of Application Center
Test (ACT). Use of the ACT system will not activate the virus, nor can it
be spread by projects deployed through Visual Studio .NET, according to the
Nimda claimed numerous high-profile victims last year, including Microsoft.
Pages at the company's Frontpage product site showed evidence of a Nimda
infection last September, triggering some visitors' anti-virus software.
Microsoft claimed the site was not directly compromised but instead
contained remnants of an infection from a third-party content provider.
Besides a mass-mailer that propagates the worm through an infected
attachment, Nimda spreads by scanning for unpatched Microsoft IIS Web
servers and open network shares. Viewing infected Web pages on
Nimda-compromised servers with an unpatched Internet Explorer browser can
spread the infection. The worm can also infect executable files. By Brian McWilliams