Windows Worm Spreads Over Weekend

Various security firms began warning of a new exploit that takes advantage of a vulnerability in Server Service function of Windows. The exploit involves the same advisory that Homeland Security warned computer users about late last week, and appears to be spreading as a worm like initially feared.

The virus is known by a host of names depending on security vendor: Backdoor.Win32.IRCBot.st through Kaspersky, Backdoor:Win32/Graweg through Microsoft, W32.Wargbot through Symantec, W32/Cuebot through Sophos, and WORM_IRCBOT through TrendMicro.

An infected PC would become part of a "botnet," or a group of computers infected with malware that allows them to be controlled remotely. In this case, commands are sent to compromised systems via IRC servers located in China. These botnets can be used to launch denial of service attacks, researchers say.

Security firm Sophos says the exploit is being spread through AOL Instant Messenger, while others warned that new variants of the issue could appear at any time.

There is some disagreement as to which systems are potentially vulnerable, however all companies agree that the worm is a rather low-risk issue and affects machines running Windows 2000. However, some believe that the issue could be exploited in computers running Windows XP SP1 as well.

In any case, for almost a day most antivirus software makers offered no protection to the problem, says Marc Maiffret of eEye Digital Security. "This illustrates yet again the reactive nature of anti-virus and the need for proactive protection that prevents the root of the problem, the vulnerability, rather than the after affect of the problem, the malware," he said.

By Sunday afternoon, most major anti-malware companies including McAfee, Microsoft, Symantec, and Sophos had updated their virus definition files to include protection from the issue.

Microsoft Security Response Center researcher Stephen Toulouse provided more details on the worm's specifics Saturday night. "So far, this appears to be an extremely targeted attack, very much unlike what we have seen in the past with recent internet-wide worms," he said. "In fact, our initial investigation reveals this isn't a worm in the 'autospreading' classic sense, and it appears to target Windows 2000."

All security firms recommend that consumers make sure antivirus software is installed and updated, and a firewall is active -- especially for those using Microsoft's six year-old server operating system.

Sophos senior technology consultant Graham Cluely said the latest exploit spoke to Microsoft's continuing struggle to keep its millions of users safe from viruses and worms. "This is a real headache for Microsoft as they try and reassure people that their operating system is becoming more secure," he said.