Symantec Reports Windows RPC Worm  

Posted by Mohammad Talha in , , ,

Have you patched your Windows systems against the RPC vulnerability reported in October? There have been attacks, but Symantec is reporting a new worm based on this attack.

They call it W32.Downadup.B and rate it a level 2 or "Low" threat. Microsoft's description of the worm includes a list of the names used by other AV vendors.

The worm spreads by multiple means, including the MS08-067 vulnerability patched in October and via network shares with weak passwords.

Once executed on a target system it copies itself to numerous locations and registers itself as a Windows service with a name based on a combination of words from a list. It also runs itself from the System registry run key and deletes all System Restore Points to make it harder to recover.

It changes the system network configuration in order to make it spread faster, but in a way that will break certain applications and make general network access less efficient. It also modifies the Windows Firewall to allow other systems to download the attack from it and creates an HTTP server on a random port in order to serve it. It also monitors DNS requests in order to block access to a list of security-related sites in order to defeat attempts to remove itself. Finally, it sets up a system for downloading updates to itself.

Like many previous attacks, this one can theoretically run on Windows Vista or Windows 7, but in a default configuration it's not likely to run successfully, and there are multiple levels at which the user would at least get a warning of it. It's primarily an attack on XP. There are many good practices an XP user engage in to prevent the attack, but the sort of user who would do these would have patched their system against MS08-067 by now. Beyond that vulnerability… (full Story)

This entry was posted on Jan 7, 2009 at 6:21 AM and is filed under , , , . You can follow any responses to this entry through the comments feed .


Post a Comment - Blog Search