On Nov. 26th, Computer World Security published an article on the new variants of the MS08-67 Windows Server Service Exploit. The variants called "Conflicker" by Microsoft and "Downadup" by Symantec have spread outside Asia to the U.S. and other countries: http://www.microsoft.com/security/portalEntry.aspx?Name=Worm%3aWin32%2fConficker.A
The new variants apparently also attempt to connect to several urls: getmyip.org, getmyip.co.uk and checkip.dynsdns.org. The another interesting piece is that the worm has been reported to reset the computers restore point.
CVE Reference: CVE-2008-4250
Symantec has written some removal procedures on: http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=3
On Nov. 25th, Microsoft Malware Protection Center also published an update
concerning a Backdoor IRC Bot exploits that exploit systems that are not updated: http://www.microsoft.com/security/portal/Entry.aspx?Name=Backdoor%3aWin32%2fIRCbot.BH
The trojan connects to a predefined remote IRC server named '0x90.devtech.us'
The trojan can also send Clip Board Entries from the infected computer.
Win32/IRCBot.worm.Gen (AhnLab)
Win32/IRCBot!generic (CA)
WIN.IRC.WORM.Virus (Dr.Web)
Exploit-DcomRpc.gen (McAfee)
Mal/IRCBot-B (Sophos)
Purple Exploit (other)
Don't know how many more variants will continue to be released and as always we don't always know if the patch fixes all the issues involved.
Leave a comment