Microsoft patches developer software infected with Nimda worm

Computerworld - Two weeks after beginning shipments of the Korean-language version of its new Visual Studio .Net developers software in April, Microsoft Corp. learned that the software accidentally included a file that was infected by the destructive Nimda worm.
Yesterday, the company made a patch available on its Visual Studio .Net Web site that removes the infected file, which hasn't caused any known infections, according to Microsoft.
Christopher Flores, lead product manager for Visual Studio .Net, said today that the hidden Nimda worm was discovered about a month ago by a Microsoft employee shortly after the product's release, as help files were being converted from native Microsoft file formats to HTML code to be placed on the company's Web site. The worm apparently got into the help file code while it was being created by a Korean software vendor that was doing English-to-Korean translation, he said.
About 50,000 copies of the Korean-language version of the program are affected, Flores said. No other languages or versions have been found to include the Nimda code.
The infected file isn't used by the program, according to Microsoft, so it's unlikely that a user would initiate it and begin an infection.
The Nimda worm appeared last September as an infection that can strike all 32-bit Windows computers (see story). It propagates using multiple methods and spread quickly around the world last fall.
The outside vendor apparently scanned the code for viruses but scanned only known files in the code and not files that could have been added. The contractor was "too confident in their build process," Flores said.
The scanning loophole has since been fixed, and all files will now be scanned, he said. "That was a flaw in our Korean build system."
The company has contacted all customers who have registered the software and offered replacement CDs that don't include the Nimda worm, he said. All other users are being advised of the infection when they use the Visual Studio .Net Web portal for developers and are being offered the patch and new CDs.
The U.S. version of Visual Studio .Net shipped Feb. 13; foreign-language versions began shipping about six weeks later. The Korean version makes up about 1% of the product's sales, Flores said.