Tuesday, November 4, 2008



Updated Information 03 Nov 2008:



Two new worms (self replicating autonomous malware) that exploit unpatched Microsoft Windows have been identified in the wild. These malware spread by leveraging the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability.

Technical Details:

http://www.symantec.com/norton/security_response/writeup.jsp?docid=2008-110307-0547-99 [7]
http://www.symantec.com/norton/security_response/writeup.jsp?docid=2008-110315-4059-99 [8]

W32.Wecorl and W32.Kernelbot.A are worms that exploit the Microsoft Windows RPC vulnerability in order to automatically spread across networks. Any unpached and unprotected systems can be infected without user intervention. It is at this moment unclear what the payload on those malware is.

Symantec has a Daily Certified definition (November 3, 2008 revision 003) to protect against W32.Wecorl. A Rapid Release definition that protects against W32.Kernelbot.A is also available (November 3, 2008 revision 021). Although these definitions can help protect vulnerable systems the best way to prevent an infection is to apply the Microsoft patch [1].

Mitigating factors for DCN:

Most systems should already have the Microsoft patch installed by now.


[6] http://www.symantec.com/norton/security_response/writeup.jsp?docid=2008-110306-2212-99
[7] http://www.symantec.com/norton/security_response/writeup.jsp?docid=2008-110307-0547-99
[8] http://www.symantec.com/norton/security_response/writeup.jsp?docid=2008-110315-4059-99

1 comment:

Eng Seng said...

For some reason, when I read the title I thought of the Bat-signal...