Monday, April 16, 2007 11:43 PM
cmosby
SANS Internet Storm Center - New Rinbot scanning for port 1025 DNS/RPC
New Rinbot scanning for port 1025 DNS/RPC
Published: 2007-04-16,
Last Updated: 2007-04-16 22:27:56 UTC
by Maarten Van Horenbeeck (Version: 3)
We are currently tracking a new version of the Rinbot worm that in addition to its regular scans, is also scanning for port 1025/tcp. Once connected, it attempts to do a Windows 2000 DnsservQuery, attempting to exploit the recent Microsoft DNS RPC vulnerability. Detection of this virus is currently very poor, and we are working with the AV vendors to improve this:
AhnLab-V3 2007.4.14.0 04.16.2007 Win32/IRCBot.worm.199680.I
AntiVir 7.3.1.52 04.16.2007 HEUR/Crypted
AVG 7.5.0.447 04.16.2007 Win32/CryptExe
DrWeb 4.33 04.16.2007 BackDoor.IRC.Sdbot.1299
eSafe 7.0.15.0 04.16.2007 Suspicious Trojan/Worm
Fortinet 2.85.0.0 04.16.2007 suspicious
Kaspersky 4.0.2.24 04.16.2007 Backdoor.Win32.VanBot.bx
Prevx1 V2 04.16.2007 Malware.Trojan.Backdoor.Gen
Symantec 10 04.16.2007 W32.Rinbot.A
Webwasher-Gateway 6.0.1 04.16.2007 Heuristic.Crypted
McAfee also has a writeup on this worm here.
We would like to urge you to consider implementing the workarounds discussed in our previous diary entry here and closely review the Microsoft security advisory. (Thanks to David for submitting the initial binary).
Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc
Filed under: Security and Anti-Virus, Patch Management, Microsoft Windows, AntiVirus Information, Internet Hacks