Windows worm infection accelerates

Microsoft is currently observing an increase in the spread of a new Windows worm that exploits the known vulnerability in the RPC functions of the Server service to penetrate systems. The infection rate of Conficker.A worm is reported to be accelerating over company networks in particular. The Microsoft Malware Protection Center says most reports are coming from the USA, but customers in Europe, Asia and South America too are affected, and reports have also been received from several hundred home users.

Conficker "opens a random port between port 1024 and 10000 and acts like a web server." Once infected, the computer "will download a copy of the worm via HTTP using the random port opened by the worm. It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore. It is not that the malware authors care so much about the computer as they want to make sure that it won't be infected by other malware." In addition, Conficker queries various web sites to find out the IP address being shown to the outside world, as well as the current time. Symantec says that using that time, the worm generates a list of domains that it then contacts in order to download further code.

To protect a computer against Conficker, the Microsoft security updates should be installed and a firewall should be activated. As a rule, the firewall that has been integrated since Windows XP, and has been active by default since SP2, is completely sufficient. However, for the sake of security, users should check their settings and ensure that no exceptions have been unintentionally defined that give access to services suffering from the RPC vulnerability – File and Printer Sharing, for example.

See also:

• More MS08-067 Exploits, report by the Microsoft Malware Protection Center

(trk)