Internet security monitoring groups are warning Windows users about new Internet attacks aimed at Windows NT, Windows 2000 and Windows Server 2003 machines running WINS (Windows Internet Naming Service).

The attacks targets a WINS vulnerability that was reported and patched by Microsoft in December. The SANS Institute's Internet Storm Center, however, reports a marked increase in probes for machines running WINS in recent days, after computer code to exploit the vulnerability was posted on the K-Otik Security website on 31 December.

The code allows remote attackers to exploit Windows 2000 servers on which the WINS service has been enabled, according to a posting on the K-Otik site. Malicious hackers are probably using the exploit to plant Trojan horse programs or other remote control programs on vulnerable systems, according to Johannes Ullrich, chief technology officer at the Internet Storm Center.

According to the Microsoft bulletin, Windows NT Server 4.0 and Windows Server 2003 also carry the WINS vulnerability. WINS is a Microsoft technology that matches IP addresses to a computer's NetBIOS name, in much the same way as DNS matches Internet domains to IP addresses.

The Center recorded WINS scans from a small number of Internet hosts since the exploit code appeared on the K-Otik Web page, but doesn't have a record of a machine being compromised, Ullrich said.

An increase in scans for machines listening for traffic on TCP port 42, which is used by WINS, was also noted byThe Research and Education Networking Information Sharing and Analysis Center (ISAC), starting on 31 December. and continuing through Tuesday.

WINS is enabled by default in Windows NT machines, but is disabled on systems running Windows 2000 and Windows 2003, which might account for the lack of successful infections, Ullrich said.

Organisations that have not already applied the Microsoft WINS patch should do so immediately. Alternatively, they should consider deactivating WINS, which is legacy technology that has since been replaced by Microsoft's Active Directory.

"A disabled service is always the safest," Ullrich said.