Even more RPC worms for Windows hole
According to several antivirus vendors, real worms are now exploiting the recently discovered Windows hole in the server service to inject PCs with code via specially crafted RPC packets and infect them this way. Gimmiv.A, the first malware sample discovered in this connection, was not a real worm as it didn't continue to spread itself from infected PCs.
The W32.Kernelbot.A worm now detected and described by Symantec and others, on the other hand, does not only exploit the vulnerability for its own distribution but also tries to use P2P networks. For this purpose, it retrieves an eMule client from the internet and offers a specially crafted movie that contains the worm. In addition, it manipulates the hosts file to block the access to certain domains. Among these domains are particularly the addresses of antivirus vendors. The worm finally also tries to terminate some of the processes of popular antivirus vendors.
So far, the worm doesn't appear to have spread very far. This is probably because the majority of Windows users have activated their firewalls, which prevents the worm from accessing the vulnerable service. Chinese users, however, seem to be the exception, as the worm has predominantly been found on Chinese PCs and, according to reports, even initiated DDoS attacks against Chinese websites from there. That China has a particularly high number of vulnerable computers was last pointed out in a study by security provider SecureWorks. Microsoft came to similar conclusions in its latest Security Intelligence Report.
Users can find out whether their own PCs are accessible from outside by obtaining and running port scanner. If a scanner test shows one of the ports between 135 and 139 or port 445 as being open, this indicates a critical risk.
The second RPC worm discovered, W32.Wecorl, has seemingly only appeared in very small numbers. It connects to a server on the internet to update itself and retrieve further malicious routines. Both worms are detected by the current virus scanners.
While the vulnerability has already been closed by an automatic update in current Windows versions, some users have disabled the auto-update feature for certain reasons. Users are advised to manually download and install the update if they have any doubts. The heise "Offline Update" script package is a useful tool for this purpose. It downloads Microsoft's complete library of updates and uses it to assemble the very latest patch packages for Windows 2000, XP, 2003, Vista and Office.
See also:
- W32.Kernelbot.A, description by Symantec
- W32.Wecorl, description by Symantec
(trk)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
