Continued from page 1

The laptop was made by Hedy, a computer manufacturer in Guangzhou, China, according to the court records. The company, reached by phone, declined to answer questions.

Stratton and his colleagues also found Nitol to be highly contagious. They inserted a thumb drive into the computer and the virus immediately copied itself onto it. When the drive was inserted into a separate machine, Nitol quickly copied itself on to it.

Microsoft examined thousands of samples of Nitol, which has several variants, and all of them connected to command-and-control servers associated with the 3322.org domain, according to the court records.

“In short, 3322.org is a major hub of illegal Internet activity, used by criminals every minute of every day to pump malware and instructions to the computers of innocent people worldwide,” Microsoft said in its lawsuit.

Peng, the registered owner of 3322.org, said he has “zero tolerance” for the misuse of domain names and works with Chinese law enforcement whenever there are complaints. Still, he said, his huge customer base makes policing difficult.

“Our policy unequivocally opposes the use of any of our domain names for malicious purposes,” Peng said in a private chat via Sina Weibo, a service like Twitter that’s very popular in China. “We currently have 2.85 million domain names and cannot exclude that individual users might be using domain names for malicious purposes.”

But past warnings by other online security firms have been ignored by Peng, Boscovich said. 3322.org accounted for more than 17 percent of the world’s malicious web transactions in 2009, according to Zscaler, a computer security firm in San Jose, Calif. In 2008, Russian security company Kaspersky Lab reported that 40 percent of all malware programs, at one point or another, connected to 3322.org.

U.S. District Judge Gerald Bruce Lee, who is presiding in the case, granted a request from Microsoft to begin steering Internet traffic from 3322.org that has been infected by Nitol and other malwares to a special site called a sinkhole. From there, Microsoft can alert affected computer users to update their anti-virus protection and remove Nitol from their machines.

Since Lee issued the order, more than 37 million malware connections have been blocked from 3322.org, according to Microsoft.

___

Associated Press researcher Fu Ting in Shanghai contributed to this report.