Microsoft Worm Variant Detected
Security company BitDefender Labs, based in Bucharest, Romania, detected the Windows worm variant in late December. The original worm known as Win32.Worm.Downadup, first made its appearance in late November, exploiting a Microsoft vulnerability in the Windows RPC Server Service. Since then, it has rapidly spread across numerous corporate networks with the aim of distributing malicious software on susceptible computers.
Microsoft issued an out-of-band patch repairing the error in October, but was too late to prevent hackers from executing malicious code exploiting the flaw the following month. Malicious attacks that ensued enabled hackers to launch the Win32.Worm that compromised networks and stole information from numerous business PCs.
Now this new variation of the worm, called Win32.Worm.Downadup.B, uses a few new tricks to help itself spread. The worm self-replicates in a random folder created inside the RECYCLER directory, which is used by the Recycle Bin to store deleted files. The worm then creates an autorun.inf file in the root folder of the drive, and automatically executes if the Autorun feature is enabled, BitDefender researchers said.
In the interest of its own self-preservation, the worm also patches certain TCP functions in order to block access to security-related Web sites by filtering addresses that contain specific strings. And to protect its files, the worm also does away with user access rights, with the exception of execute and directory usage. In addition, it disables Windows updates and certain network traffic, while simultaneously optimizing some Vista features that help facilitate its spread.
And unlike other exploits, this malware circumvents antivirus detection by repairing an API vulnerability on users' unpatched computers, preventing other malware from overriding it. "It is not that the malware authors care so much about the computer as they want to make sure that other malware will not take it over too," said Microsoft researchers in a blog post.
The malware mostly spreads within businesses, however it has also been reported by individual home users, Microsoft said.
Security experts suggest that users' patch their PCs with Microsoft's October, out-of-band patch, available for download on the company's Web site, in order to protect their systems from becoming infected.
Reports of active exploits have come primarily from the U.S. However exploits have also been found in Germany, Spain, France, Italy, Taiwan, Japan, Brazil, Turkey, China, Mexico, Argentina and Chile.