A Windows worm dubbed MSBlast is quickly spreading across the net and swamping net connections as it looks for more vulnerable machines to infect.
Many versions of Windows are at risk from MSBlast
On infected machines the malicious program also launches an attack against the Microsoft site that holds a software patch that keeps the worm out.
Security firms say the design of the worm is hampering its spread but warn that tens of thousands of computers could fall victim to it.
The vulnerability exploited by the worm has been known about for almost a month and net security organisations have been warning that it would soon be exploited.
MSBlast is known as a worm because it can spread across the net by itself.
Once installed on a machine MSBlast, also called Lovsan, starts scanning for other vulnerable machines and this can swamp local net connections.
Network Associates said that many home broadband users were reporting heavy traffic on their net connection as a result of being infected by the worm.
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 Terminal Services Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
Security firm Symantec said that it had already found MSBlast on more than 57,000 machines.
The worm is likely to find a lot of hosts on the net as it exploits a vulnerability found in many different versions of Microsoft Windows.
The vulnerability exists in the way that Windows shares files across networks. The carefully crafted code of the worm swamps a memory buffer which forces a machine to carry out instructions hidden in the tail of the file.
As well as scanning for more machines to infect, MSBlast is also preparing to launch an attack on 16 August on Microsoft's Windows Update website where many people go to get software patches that close software vulnerabilities.
The vulnerability exploited by MSBlast was first discovered on 16 July and since then security firms, governments and alert services have been warning people that an attack was imminent.
HOW TO AVOID MSBLAST
Keep anti-virus software up to date
Use a firewall on broadband connections
Apply patches to close vulnerabilities
Apply cleaning programs to infected machines
Warnings grew more shrill as security firms reported that malicious hackers were starting to seek out machines that suffered the vulnerability that is now being exploited.
"The time between vulnerabilities being disclosed and exploits being created is decreasing, companies must have an efficient patch management process if they are to protect critical networks," said Graeme Pinkney, operations manager for Symantec. "Time is no longer on their side."
Those most likely to be affected are home users and small firms that tend not to be as diligent about computer security as large companies.
Security firms said that the worm is unlikely to spread as far the recent Slammer worm but said it could rival 2001's Code Red worm which managed to infect 200,000 machines.
Symantec said that it was spreading about 20% of the speed of the Slammer worm when measured by the number of unique machines it was finding and infecting.
Hidden inside the worm are two messages. One taunts Microsoft chairman Bill Gates and reads: "billy gates why do you make this possible? Stop making money and fix your software!" The other is more cryptic and says: "I just want to say LOVE YOU SAN!"