Worm Spreads in China via New Vulnerability in Windows

PRLog (Press Release) - Aug 21, 2006 -
It’s become real. The much feared mass-level attack of the Backdoor-Worm Win32.IRCBot.st is underway in China, affecting thousands using Shanghai Telecom's broadband services since its outbreak on Tuesday evening, inform Security Experts at MicroWorld Technologies.



Known as ‘Worm.Mocbot’ or ‘Devil Wave’ in Chinese media, this worm is a variant of ‘IRCBot.st’ that exploits vulnerability-MS06-040 in order to spread swift and wide in large networks, targeting Windows 2000, XP and 2003 versions. According to Chinese agencies, the worm’s proliferation seems to have been perpetrated by malware writers in Shanghai University, though it’s now spilling out of the commercial capital of China, to spread fast in other Chinese cities as well.




As MicroWorld Technologies informed earlier, “Win32.IRCBot.st” is a PE executable packed with MEW. It appears as "wgareg.exe" in the Windows System folder with a description "Windows Genuine Advantage Registration Service". IRCBot.st uses the AOL Instant Messenger for its external mode of spreading routine.



Once inside the system, the Backdoor stops the computer’s access to the Internet, changes Windows Security settings, turns off firewall and AntiVirus and connects to the remote attacker via IRC channels. In networks, this Backdoor sends out the exploit to infect vulnerable machines, explaining why so many users in China were affected in so less time.



“It’s ironic that ‘Win32.IRCBot.st’ has been invented to exploit an earlier vulnerability in Windows Plug-n-Play Service, tagged as MS05-039,” says Sunil Kripalani, Vice President, Global Sales and Marketing, MicroWorld Technologies. “Without much change in code, the Backdoor-worm now trains its guns on MS06-040. While our customers are well safeguarded against this worm, we strongly urge everyone to update their Windows systems with the latest security patches from Microsoft as there’s an imminent possibility of fresher exploits targeting the critical vulnerability.”



MS06-040 is a Server Service vulnerability that facilitates remote code execution in network computers, while the said Service listens on TCP ports 139 and 445. Now, one can effectively employ the ‘eConceal’ Firewall from MicroWorld Technologies to safeguard these ports and provide another layer of threat protection, reminds Sunil Kripalani.



Rated as Critical, MS06-040 has even prompted the US Homeland Security to issue a warning, while exploits are already out on the web. To download security patches for Windows, one can log on to http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx .



MicroWorld

MicroWorld (www.mwti.net ) is the developer of the world's first Real-Time Anti-Virus and Content Security software eScan for desktops and servers. Its communication security software, MailScan is the first comprehensive e-mail scanner for your SMTP/POP3 Mail Server. MicroWorld Winsock Layer (MWL) is the revolutionary technology underlying these products, powering them to several certifications and awards by some of the most prestigious testing bodies, notable among them being Virus Bulletin, Checkmark, TUCOWS, Red Hat Ready, and Novell Ready. Combining their powerful scanner with MWL technology, MicroWorld solutions provide a Real-Time Proactive security for your systems. For network security of enterprises, eConceal Firewall is the latest powerful offering from MicroWorld.



To learn more, kindly visit http://www.mwti.net.