New worm exploiting Microsoft vulnerability

Share this article:

A new worm, “Win32/Wecorl.A,” is actively exploiting the patched Microsoft Windows Server Service vulnerability, researchers said this week.

The malware is spreading slowly, however, and does not seem to have moved out of Asia.
 
The exploit is based on proof-of-concept binaries published online last week, according to an F-Secure blog.

The worm can spread without any user interaction and is able to search for computers to infect on its own, Patrik Runald, chief security adviser at F-Secure, told SCMagazineUS.com.

Microsoft posted information on its Malware Protection Center Web portal about the worm, saying that is being used to download trojans that may be hosted on malicious websites.

Once the worm, which F-Secure refers to as “Exploit.Win32.MS08-067.g,”  infects a user's computer, it drops two malicious files onto the victim's PC, “Trojan-Dropper.Win32.Agent.yhi” and “Rootkit.Win32.KernelBot.dg” which carry out the exploit.

The worm has infected users in China and Taiwan, and the DDoS-bot attacks also have only impacted those regions, Runald said.

Last week, a different trojan called Gimmiv was discovered that also takes advantage of the same vulnerability, which was patched on Oct. 23, out of cycle to Microsoft's normally scheduled security update on the second Tuesday of the month.

The target of that trojan is confidential data from the infected user's PC, including login credentials for Outlook and Window's Live Messenger. Runald said he thinks the two exploits are unrelated.

The new exploit is troubling because worms have the potential of becoming a bigger problem by self replicating, he said. But Gimmiv is more harmful to the end-user because it attempts to steal sensitive information.

Share this article:
close

Next Article in News

Sign up to our newsletters

More in News

Op Emmental spoofs bank sites, uses Android malware to maintain account access

Op Emmental spoofs bank sites, uses Android malware ...

On Tuesday, Trend Micro released a report detailing Operation Emmental, which targets victims in Austria, Switzerland, Sweden and Japan.

Goodwill investigates compromise of credit, debit card info

Credit card and debit card data may have been compromised at several Goodwill locations around the country.

Vice.com hacked, possibly The Wall Street Journal website too

Vice.com hacked, possibly The Wall Street Journal website ...

A reported Russian hacker group known as W0rm tweeted on Monday that it had hacked Vice.com and The Wall Street Journal website.