Monday, April 16, 2007 11:45 PM
cmosby
McAfee Avert Labs Blog - RPC DNS Worm Spotted In The Wild
RPC DNS Worm Spotted In The Wild
Monday April 16, 2007 at 2:02 pm CST
Posted by Craig Schmugar
Trackback
A new Nirbot variant has been discovered that attempts to exploit the recent zero day vulnerability in Microsoft’s DNS Server Service (CVE-2007-1748).
Vulnerability to Worm Timeline:
- April 7 - This vulnerability was first reported by SANS in what was believed to be a targeted attack
- April 12 - Microsoft posted Microsoft Security Advisory (935964)
- April 14 - An exploit was made public
- April 15 - Three other exploits were made public
- April 15 - The first worm was submitted to McAfee Avert Labs late in the day
Analysis is on going. More details will be posted here.
Update April 16, 20:30 PDT
A second variant has been discovered.
First Variant
File Name: mdnex.exe (writes c:\U.exe)
File Size: 199,680 bytes
MD5: 0xc1a6a22b2415ba608fb894b4e036e19c
Second Variant
File Name: mozila.exe (writes c:\U.exe)
File Size: 270,848 bytes
MD5: 0×8f6cb8d895e60387fe3e41377d0f0d3f
Source: Computer Security Research - McAfee Avert Labs Blog
Filed under: Security and Anti-Virus, Patch Management, Microsoft Windows, AntiVirus Information, Internet Hacks