It's become real. The much feared mass-level attack
of the Backdoor-Worm Win32.IRCBot.st is underway in
China, affecting thousands using Shanghai Telecom's
broadband services since its outbreak on Tuesday evening,
inform Security Experts at MicroWorld Technologies.
Known as 'Worm.Mocbot' or 'Devil Wave' in Chinese
media, this worm is a variant of 'IRCBot.st' that
exploits vulnerability-MS06-040 in order to spread
swift and wide in large networks, targeting Windows
2000, XP and 2003 versions. According to Chinese agencies,
the worm's proliferation seems to have been perpetrated
by malware writers in Shanghai University, though
it's now spilling out of the commercial capital of
China, to spread fast in other Chinese cities as well.
As MicroWorld Technologies informed earlier, "Win32.IRCBot.st"
is a PE executable packed with MEW. It appears as
"wgareg.exe" in the Windows System folder
with a description "Windows Genuine Advantage
Registration Service". IRCBot.st uses the AOL
Instant Messenger for its external mode of spreading
routine.
Once inside the system, the Backdoor stops the computer's
access to the Internet, changes Windows Security settings,
turns off firewall and AntiVirus and connects to the
remote attacker via IRC channels. In networks, this
Backdoor sends out the exploit to infect vulnerable
machines, explaining why so many users in China were
affected in so less time.
"It's ironic that 'Win32.IRCBot.st' has been
invented to exploit an earlier vulnerability in Windows
Plug-n-Play Service, tagged as MS05-039," says
Sunil Kripalani, Vice President, Global Sales and
Marketing, MicroWorld Technologies. "Without
much change in code, the Backdoor-worm now trains
its guns on MS06-040. While our customers are well
safeguarded against this worm, we strongly urge everyone
to update their Windows systems with the latest security
patches from Microsoft as there's an imminent possibility
of fresher exploits targeting the critical vulnerability."
MS06-040 is a Server Service vulnerability that facilitates
remote code execution in network computers, while
the said Service listens on TCP ports 139 and 445.
Now, one can effectively employ the 'eConceal' Firewall
from MicroWorld Technologies to safeguard these ports
and provide another layer of threat protection, reminds
Sunil Kripalani.
Rated as Critical, MS06-040 has even prompted the
US Homeland Security to issue a warning, while exploits
are already out on the web. To download security patches
for Windows, one can log on to
http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx
MicroWorld
MicroWorld (www.mwti.net
) is the developer of the world's first Real-Time
Anti-Virus and Content Security software eScan
for desktops and servers. Its communication security
software,
MailScan is the first comprehensive e-mail
scanner for your SMTP/POP3 Mail Server. MicroWorld
Winsock Layer (MWL) is the revolutionary technology
underlying these products, powering them to several
certifications and awards by some of the most prestigious
testing bodies, notable among them being Virus Bulletin,
Checkmark, TUCOWS, Red Hat Ready, and Novell Ready.
Combining their powerful scanner with MWL technology,
MicroWorld solutions provide a Real-Time Proactive
security for your systems. For network security of
enterprises, eConceal Firewall is the latest powerful
offering from MicroWorld.
To learn more, kindly visit http://www.mwti.net.
