By Robert Vamosi

Just as the initial threat of the Zotob worm fades, new and much more malicious worms have hit the Internet with force. Early signs are that there are as many as eleven different worms each using a variety of patched vulnerabilities, including DCOM-RPC, LSASS, WebDAV, and the recent MS05-039 Windows Plug and Play vulnerability. The new worms include an IRC backdoor for communication, as well as the ability to add or delete network shared folders, steal private information, and launch a denial-of-service attack on random targets. Because these new worms allow remote access and may damage system files or launch a denial-of-service attack, these worms (collectively) rate a 7 on the CNET/ZDNet Virus Meter. Check this alert during the day for updates.

How it works
The new worms use port scanning and network shares to spread. The worms look for Windows 2000 systems that have not been updated recently, then connect to IRC servers to download malicious code.

Many of the new worms use a file called WINTBP.exe and make the following changes to the system registry:

CurrentVersion\Run “wintbp.exe” = wintbp.exe

Some of the worms attempt to remove traces of other worms from an infected system.

Some of the new worms use a variety of denial-of-service attacks, including PING flood, SkySyn flood, SYN flood, TCP flood, and UDP flood.

In some cases, the presence of these worms on a Windows 2000 system may cause that system to reboot repeatedly.

Initial reports suggest that only Windows 2000 may be affected. It is important that you update your Windows system immediately with the latest patches. Also, a desktop firewall should help block much of this attack.

Antivirus software companies have updated their signature files to include these new worms. Updates will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.