Microsoft Warns Of Attack Exploiting Windows Vulnerability
The worm has the potential to infect other computers across a network by exploiting a critical vulnerability in the Windows Server service.
Microsoft released an emergency patch last month repairing the error. However, if successfully exploited, the vulnerability could enable remote attackers to execute arbitrary code via a malicious file that would allow them to completely take control of a user's PC.
Microsoft researchers first detected attacks exploiting the vulnerability last week. Since then, the number of successful exploits grew to significant levels over the weekend. Researchers reported in a blog that they noticed that the malware "gained momentum" over the last two days, when they saw a significant increase in support calls.
Specifically, the worm deletes any use-created System Restore points, and attempts to contact numerous sites, including those of Google, Yahoo, MSN and ask.com, to obtain the current date, according to researchers at the SANS Institute. The worm then uses the date information to generate a list of domain names, which it then contacts in an attempt to download additional malicious files onto a user's affected computer.
The malware mostly spreads within businesses, however it has also been reported by individual home users, Microsoft said.
Unlike other exploits, the malware actually repairs an API vulnerability on users' unpatched computers.
"It is not that the malware authors care so much about the computer as they want to make sure that other malware will not take it over too," said Microsoft researchers in a blog post.
Reports of active exploits have come primarily from the U.S. However exploits have also been found in Germany, Spain, France, Italy, Taiwan, Japan, Brazil, Turkey, China, Mexico, Cana, Argentina and Chile.
To avoid being affected by the malware, experts recommend that its customers install the necessary update on their machines, which can be found on the Microsoft Web site.