New worm exploiting Microsoft vulnerability

Share this article:

A new worm, “Win32/Wecorl.A,” is actively exploiting the patched Microsoft Windows Server Service vulnerability, researchers said this week.

The malware is spreading slowly, however, and does not seem to have moved out of Asia.
The exploit is based on proof-of-concept binaries published online last week, according to an F-Secure blog.

The worm can spread without any user interaction and is able to search for computers to infect on its own, Patrik Runald, chief security adviser at F-Secure, told

Microsoft posted information on its Malware Protection Center Web portal about the worm, saying that is being used to download trojans that may be hosted on malicious websites.

Once the worm, which F-Secure refers to as “Exploit.Win32.MS08-067.g,”  infects a user's computer, it drops two malicious files onto the victim's PC, “Trojan-Dropper.Win32.Agent.yhi” and “Rootkit.Win32.KernelBot.dg” which carry out the exploit.

The worm has infected users in China and Taiwan, and the DDoS-bot attacks also have only impacted those regions, Runald said.

Last week, a different trojan called Gimmiv was discovered that also takes advantage of the same vulnerability, which was patched on Oct. 23, out of cycle to Microsoft's normally scheduled security update on the second Tuesday of the month.

The target of that trojan is confidential data from the infected user's PC, including login credentials for Outlook and Window's Live Messenger. Runald said he thinks the two exploits are unrelated.

The new exploit is troubling because worms have the potential of becoming a bigger problem by self replicating, he said. But Gimmiv is more harmful to the end-user because it attempts to steal sensitive information.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Next Article in News

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.