New worm exploiting Microsoft vulnerability

A new worm, “Win32/Wecorl.A,” is actively exploiting the patched Microsoft Windows Server Service vulnerability, researchers said this week.

The malware is spreading slowly, however, and does not seem to have moved out of Asia.
 
The exploit is based on proof-of-concept binaries published online last week, according to an F-Secure blog.

The worm can spread without any user interaction and is able to search for computers to infect on its own, Patrik Runald, chief security adviser at F-Secure, told SCMagazineUS.com.

Microsoft posted information on its Malware Protection Center Web portal about the worm, saying that is being used to download trojans that may be hosted on malicious websites.

Once the worm, which F-Secure refers to as “Exploit.Win32.MS08-067.g,”  infects a user's computer, it drops two malicious files onto the victim's PC, “Trojan-Dropper.Win32.Agent.yhi” and “Rootkit.Win32.KernelBot.dg” which carry out the exploit.

The worm has infected users in China and Taiwan, and the DDoS-bot attacks also have only impacted those regions, Runald said.

Last week, a different trojan called Gimmiv was discovered that also takes advantage of the same vulnerability, which was patched on Oct. 23, out of cycle to Microsoft's normally scheduled security update on the second Tuesday of the month.

The target of that trojan is confidential data from the infected user's PC, including login credentials for Outlook and Window's Live Messenger. Runald said he thinks the two exploits are unrelated.

The new exploit is troubling because worms have the potential of becoming a bigger problem by self replicating, he said. But Gimmiv is more harmful to the end-user because it attempts to steal sensitive information.