According to the Computer Emergency Response Team (CERT), the worm first attacks the Solaris server and then sets it up to attack systems running IIS. The worm uses known security flaws in both servers' software to compromise systems and deface Web pages, says CERT, which has called the malicious code the "sadmind/IIS worm".
Systems that have been hit show the following characteristics: on the Solaris system, a directory called "/dev/cuc" will contain tools that the worm uses to operate. The IIS machine will show modified Web pages displaying a rant against the US Government and a Chinese e-mail address.
CERT said it has received reports of the worm, although it did not specify whether the worm has been found in the wild.
The Solaris system is entered via a two-year-old buffer overflow vulnerability. After that a security hole, which was uncovered seven months ago, is used to break into the IIS system. Once infected the Solaris system is used to scan and compromise other Solaris systems and IIS systems.
Software patches from Sun and Microsoft have long been available to fix the problems. However, as not every Web site administrator is diligent in plugging holes, servers could still be vulnerable.
"None of the antivirus vendors have reported the discovery of, or any incidents with, this malicious program [the sadmind/IIS worm]," said Denis Zenkin, spokesman for Kaspersky Lab, an antivirus vendor.
This being the first report could mean one of two things, Zenkin added. "Either the worm has bugs and will never appear in the wild, in this case it is merely another entry in CERT's virus encyclopedia. This is certainly not the very first malicious program that attacks IIS servers. Or the worm is really something very dangerous and has the opportunity to become widespread," he said.
If the sadmind/IIS is a danger, CERT's attitude towards antivirus vendors can be classified as "unethical", Zenkin said. "CERT didn't share the virus sample with developers of antivirus programs to allow them to provide their customers with an emergency update," he said.