Thread-topic: FYI: New Rinbot scanning for port 1025 DNS/RPC
We are currently tracking a new version of the Rinbot worm that in
addition to its regular scans, is also scanning for port 1025/tcp. Once
connected, it attempts to do a Windows 2000 DnsservQuery, attempting to
exploit the recent Microsoft DNS RPC vulnerability. Detection of this
virus is currently very poor, and we are working with the AV vendors to
improve this:
AhnLab-V3 2007.4.14.0 04.16.2007 Win32/IRCBot.worm.199680.I
AntiVir 7.3.1.52 04.16.2007 HEUR/Crypted
AVG 7.5.0.447 04.16.2007 Win32/CryptExe
DrWeb 4.33 04.16.2007 BackDoor.IRC.Sdbot.1299
eSafe 7.0.15.0 04.16.2007 Suspicious Trojan/Worm
Fortinet 2.85.0.0 04.16.2007 suspicious
Kaspersky 4.0.2.24 04.16.2007 Backdoor.Win32.VanBot.bx
Prevx1 V2 04.16.2007 Malware.Trojan.Backdoor.Gen
Symantec 10 04.16.2007 W32.Rinbot.A
Webwasher-Gateway 6.0.1 04.16.2007 Heuristic.Crypted
McAfee also has a writeup on this worm here.
We would like to urge you to consider implementing the workarounds
discussed in our previous diary entry here and closely review the
Microsoft security advisory. (Thanks to David for submitting the initial
binary).
