Last Updated: 2007-04-16 22:27:56 UTC
by Maarten Van Horenbeeck (Version: 3)
We are currently tracking a new version of the Rinbot worm that in addition to its regular scans, is also scanning for port 1025/tcp. Once connected, it attempts to do a Windows 2000 DnsservQuery, attempting to exploit the recent Microsoft DNS RPC vulnerability. Detection of this virus is currently very poor, and we are working with the AV vendors to improve this:
AhnLab-V3 2007.4.14.0 04.16.2007 Win32/IRCBot.worm.199680.I
AntiVir 126.96.36.199 04.16.2007 HEUR/Crypted
AVG 188.8.131.527 04.16.2007 Win32/CryptExe
DrWeb 4.33 04.16.2007 BackDoor.IRC.Sdbot.1299
eSafe 184.108.40.206 04.16.2007 Suspicious Trojan/Worm
Fortinet 220.127.116.11 04.16.2007 suspicious
Kaspersky 18.104.22.168 04.16.2007 Backdoor.Win32.VanBot.bx
Prevx1 V2 04.16.2007 Malware.Trojan.Backdoor.Gen
Symantec 10 04.16.2007 W32.Rinbot.A
Webwasher-Gateway 6.0.1 04.16.2007 Heuristic.Crypted
McAfee also has a writeup on this worm here.
We would like to urge you to consider implementing the workarounds discussed in our previous diary entry here and closely review the Microsoft security advisory. (Thanks to David for submitting the initial binary).