Donut is a "proof of concept" virus - a prototype bug that is not yet circulating in the wild. Although it does not have a dangerous payload, the virus will spread to files based on the .net-specific Microsoft Intermediate Language (MSIL). Future versions could be malignant.
MSIL files are CPU-independent and are converted on the fly to run on the target processor by a specific just-in-time compiler. This means Donut could feasibly infect systems on any Windows platform, from server to handheld, if .net is ported to other operating systems.
Microsoft is playing down the virus, pointing out that it contains very little MSIL code. Instead it uses a known Windows vulnerability written in Windows code. However, it does indicate the vulnerability of the raft of new application servers and software-as-a-service strategies being developed by Microsoft, Oracle, Hewlett-Packard, IBM, BEA Systems and Sun Microsystems.
With various elements of an application deployed on different computers throughout an organisation or across the Web, the number of vulnerable points is increased.
Kenneth De Spiegeleire, head of security assessment services at Internet Security Systems, said, "The security emphasis is shifting from detection to protection of the asset itself. Rather than using a missile to shoot down specific viruses as they appear, we now require an umbrella of defences to protect all layers of an application."