Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - New Rinbot scanning for port 1025 DNS/RPC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New Rinbot scanning for port 1025 DNS/RPC

Published: 2007-04-16
Last Updated: 2007-04-16 22:27:56 UTC
by Maarten Van Horenbeeck (Version: 3)
0 comment(s)

We are currently tracking a new version of the Rinbot worm that in addition to its regular scans, is also scanning for port 1025/tcp. Once connected, it attempts to do a Windows 2000 DnsservQuery, attempting to exploit the recent Microsoft DNS RPC vulnerability. Detection of this virus is currently very poor, and we are working with the AV vendors to improve this:

AhnLab-V3 2007.4.14.0 04.16.2007 Win32/IRCBot.worm.199680.I
AntiVir 04.16.2007 HEUR/Crypted
AVG 04.16.2007 Win32/CryptExe
DrWeb 4.33 04.16.2007 BackDoor.IRC.Sdbot.1299
eSafe 04.16.2007 Suspicious Trojan/Worm
Fortinet 04.16.2007 suspicious
Kaspersky 04.16.2007 Backdoor.Win32.VanBot.bx
Prevx1 V2 04.16.2007 Malware.Trojan.Backdoor.Gen
Symantec 10 04.16.2007 W32.Rinbot.A
Webwasher-Gateway 6.0.1 04.16.2007 Heuristic.Crypted

McAfee also has a writeup on this worm here.

We would like to urge you to consider implementing the workarounds discussed in our previous diary entry here and closely review the Microsoft security advisory. (Thanks to David for submitting the initial binary).

0 comment(s)
Diary Archives