Last Updated: 2007-04-16 22:27:56 UTC
by Maarten Van Horenbeeck (Version: 3)
We are currently tracking a new version of the Rinbot worm that in addition to its regular scans, is also scanning for port 1025/tcp. Once connected, it attempts to do a Windows 2000 DnsservQuery, attempting to exploit the recent Microsoft DNS RPC vulnerability. Detection of this virus is currently very poor, and we are working with the AV vendors to improve this:
AhnLab-V3 2007.4.14.0 04.16.2007 Win32/IRCBot.worm.199680.I
AntiVir 22.214.171.124 04.16.2007 HEUR/Crypted
AVG 126.96.36.1997 04.16.2007 Win32/CryptExe
DrWeb 4.33 04.16.2007 BackDoor.IRC.Sdbot.1299
eSafe 188.8.131.52 04.16.2007 Suspicious Trojan/Worm
Fortinet 184.108.40.206 04.16.2007 suspicious
Kaspersky 220.127.116.11 04.16.2007 Backdoor.Win32.VanBot.bx
Prevx1 V2 04.16.2007 Malware.Trojan.Backdoor.Gen
Symantec 10 04.16.2007 W32.Rinbot.A
Webwasher-Gateway 6.0.1 04.16.2007 Heuristic.Crypted
McAfee also has a writeup on this worm here.
We would like to urge you to consider implementing the workarounds discussed in our previous diary entry here and closely review the Microsoft security advisory. (Thanks to David for submitting the initial binary).