It's become real. The much feared mass-level attack
of the Backdoor-Worm Win32.IRCBot.st is underway in China, affecting thousands
using Shanghai Telecom's broadband services since its outbreak on Tuesday evening,
inform Security Experts at MicroWorld Technologies.
Known as 'Worm.Mocbot'
or 'Devil Wave' in Chinese media, this worm is a variant of 'IRCBot.st' that exploits
vulnerability-MS06-040 in order to spread swift and wide in large networks, targeting
Windows 2000, XP and 2003 versions. According to Chinese agencies, the worm's
proliferation seems to have been perpetrated by malware writers in Shanghai University,
though it's now spilling out of the commercial capital of China, to spread fast
in other Chinese cities as well.
As
MicroWorld Technologies informed earlier, "Win32.IRCBot.st" is a PE
executable packed with MEW. It appears as "wgareg.exe" in the Windows
System folder with a description "Windows Genuine Advantage Registration
Service". IRCBot.st uses the AOL Instant Messenger for its external mode
of spreading routine.
Once inside the system, the Backdoor stops the computer's
access to the Internet, changes Windows Security settings, turns off firewall
and AntiVirus and connects to the remote attacker via IRC channels. In networks,
this Backdoor sends out the exploit to infect vulnerable machines, explaining
why so many users in China were affected in so less time.
"It's ironic
that 'Win32.IRCBot.st' has been invented to exploit an earlier vulnerability in
Windows Plug-n-Play Service, tagged as MS05-039," says Sunil Kripalani, Vice
President, Global Sales and Marketing, MicroWorld Technologies. "Without
much change in code, the Backdoor-worm now trains its guns on MS06-040. While
our customers are well safeguarded against this worm, we strongly urge everyone
to update their Windows systems with the latest security patches from Microsoft
as there's an imminent possibility of fresher exploits targeting the critical
vulnerability."
MS06-040 is a Server Service vulnerability that facilitates
remote code execution in network computers, while the said Service listens on
TCP ports 139 and 445. Now, one can effectively employ the 'eConceal' Firewall
from MicroWorld Technologies to safeguard these ports and provide another layer
of threat protection, reminds Sunil Kripalani.
Rated as Critical, MS06-040
has even prompted the US Homeland Security to issue a warning, while exploits
are already out on the web. To download security patches for Windows, one can
log on to
http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx
MicroWorld
MicroWorld
(www.mwti.net ) is the developer of the world's
first Real-Time Anti-Virus and Content Security software eScan
for desktops and servers. Its communication security software,
MailScan is the first comprehensive e-mail scanner for your SMTP/POP3
Mail Server. MicroWorld
Winsock Layer (MWL) is the revolutionary technology underlying these products,
powering them to several certifications and awards by some of the most prestigious
testing bodies, notable among them being Virus Bulletin, Checkmark, TUCOWS, Red
Hat Ready, and Novell Ready. Combining their powerful scanner with MWL technology,
MicroWorld solutions provide a Real-Time Proactive security for your systems.
For network security of enterprises, eConceal Firewall is the latest powerful
offering from MicroWorld.
To learn more, kindly visit http://www.mwti.net
