W32/RpcSpybot-A is a worm that exploits the RPC/DCOM vulnerability on computers running the Windows operating system to spread. The worm has a backdoor component that allows a malicious user remote access to an infected computer, according to Sophos.

Trend Micro recognizes the worm as WORM_RPCSDBOT.A, and says it exploits the RPC DCOM buffer overflow, a vulnerability in the Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface that allows an attacker to gain full access and execute any code on a target machine, leaving it compromised.

It further uses this exploit to drop and execute a copy of itself into the compromised machine. This worm has been observed to continuously scan random ip addresses and send data to vulnerable systems on the network using port 135. It also acts as a backdoor by connecting to a remote Internet Relay Chat (IRC) server where a malicious user sends commands that enable this malware to process on the affected system.

Microsoft issued a patch for the vulnerability exploited by this worm on July 16, 2003. The patch is available here.

McAfee issued a warning Wednesday for a similar threat, W32/Spybot.worm.md, with the specified engine/DATs. The filenames for the executable and the DLL it drops are as follows:

  • NSTASK32.EXE (24,064 bytes)
  • WINSOCK32DRV.DLL (43,520 bytes)

    • This threat was proactively detected as New Malware.b when scanning compressed files with the 4.2.40+ scan engine, 4283 DAT files, and program heuristics enabled. This is another worm that exploits the MS03-026 vulnerability. It works in a similar fashion to W32/Lovsan.worm in that it creates a remote shell on TCP Port 4444 and tells the compromised target system to download (TFTP) and execute the worm from the host system. This threat differs in that it is also an IRC bot (the source code for IRC-Sdbot was used).

    When run, the worm creates two files in the %WinDir%\System32 directory. View them and other information at this McAfee page.

    Blaster Worm Still Out in Force

    The Blaster worm continues to wreak havoc in users' PCs, as evidenced by the number of incidents various vendors are receiving. According to Sophos, W32/Blaster-B is functionally equivalent to W32/Blaster-A, except that this variant uses the filename teekids.exe and the registry entry:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Inet Xp..

    Also the internal message has been changed to:
    Microsoft can suck my left testi!
    Bill Gates can suck my right testi!
    And All Antivirus Makers Can Suck My Big Fat Cock

    Protecting against Blaster and other viruses that could emerge in the near future can be simple, provided users take a few basic precautions:

  • Find out about and apply patches to correct vulnerabilities detected in the software installed on a PC. Vendors web sites will normally have this sort of information and the downloads. Similarly, e-bulletin services provide the latest information on these security issues.
  • Keep antivirus software updated.
  • Install a personal firewall in the computer, with both broadband and modem connections, since just a few seconds is all it takes for a malicious code like Blaster to infect a PC.

    For more information, visit Panda Software at this page.

    New Variant of W32/Lovsan.worm Out

    A new variant has been discovered that spreads as teekids.exe (5,360 bytes). It is functionally similar to the original W32/Lovsan.worm. It requires 4285 DATs.

    This threat was proactively detected as a variant of Exploit-DcomRpc with the 4283 DAT files and 4.1.60+ scan engine. This detection requires the scanning of compressed executables to be enabled (VirusScan 7 provides the ability to disable this option, however it is enabled by default).

    This threat exploits the MS03-026 vulnerability. The purpose of the virus is to spread to as many machines as possible. By exploiting an unplugged hole in Windows, the virus is able to execute without requiring any action on the part of the user. The worm also creates a remote access point, allowing an attacker to run system commands at their choosing.

    When run, it scans a random IP range to look for vulnerable systems on TCP port 135. The worm attempts to exploit the DCOM RPC vulnerability on the found systems to create a remote shell on TCP port 4444. It then instructs the system to download the worm to the %WinDir%\system32 directory and execute it. (The target system is issued a TFTP command to downloads the worm from the infected host system [TFTP UDP port 69].

    Once run, the worm creates a registry key. View it and other information at this McAfee page.

    W32/Antinny.worm Displays File in Japanese

    This worm attempts to propagate via a Japanese P2P file sharing software called Winny. A fake error message is first displayed when run. The worm then drops the following legitimate dlls for archiving:

  • unlha32.dll (sfx archiver)
  • zip32.dll
  • zip32j.dll

    It then attempts to copy itself using attractive filenames to the upload directory of Winny for other users to download. The names of the files are concatenated using short strings in the virus body. View some examples of the filenames created at this McAfee page.

    --Compiled by Esther Shein