It has been reported that a worm that exploits the Microsoft Windows Domain Name Server Service Remote Procedure Call Interface Vulnerability is in the wild. Symantec Security Response has obtained a sample of the worm and we detect the threat as W32.Rinbot.BC.
UPDATE
We have seen an increase in activity over TCP port 1025 as a result ofW32.Rinbot.BC scanning the port in search of vulnerable computers.W32.Rinbot.BC is the first worm that exploits the Microsoft DNSvulnerability and the exploit code was only made public a few days ago.If you have not done so already, Symantec suggests that you block TCPport 1025 in order to avoid the attack.
Blaster, Sasser, W32.Rinbot.BC
We have observed that the time taken from exploit code being madepublic to being integrated into malware that appears in the wild isbecoming shorter and shorter. On the other hand, many threats exploitmultiple vulnerabilities and the list of vulnerabilities that malwareauthors can use is getting longer and longer.
Payload
W32.Rinbot.BC opens a back door that connects to the x.rofflewaffles.usdomain and awaits for commands from the attacker. The intention behindthis malware appears to be the same as any other bot: construction of abot net.