Computer Security Research - McAfee Labs Blog

RPC DNS Worm Spotted In The Wild

Monday April 16, 2007 at 2:02 pm CST
Posted by Craig Schmugar

A new Nirbot variant has been discovered that attempts to exploit the recent zero day vulnerability in Microsoft’s DNS Server Service (CVE-2007-1748).

Vulnerability to Worm Timeline:

April 7 – This vulnerability was first reported by SANS in what was believed to be a targeted attack
April 12 – Microsoft posted Microsoft Security Advisory (935964)
April 14 – An exploit was made public
April 15 – Three other exploits were made public
April 15 – The first worm was submitted to McAfee Avert Labs late in the day

Analysis is on going. More details will be posted here.

Update April 16, 20:30 PDT
A second variant has been discovered.

First Variant
File Name: mdnex.exe (writes c:\U.exe)
File Size: 199,680 bytes
MD5: 0xc1a6a22b2415ba608fb894b4e036e19c

Second Variant
File Name: mozila.exe (writes c:\U.exe)
File Size: 270,848 bytes
MD5: 0×8f6cb8d895e60387fe3e41377d0f0d3f

This entry was posted on Monday, April 16th, 2007 at 14:02 and is filed under Exploit Research, Malware Research, Zero-Day. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “RPC DNS Worm Spotted In The Wild”

.:Computer Defense:. » RPC DNS Worm Says:
April 16th, 2007 at 18:50
[...] Both McAfee and ISC are reporting that we are. [...]
Chris Mosby at myITforum.com : McAfee Avert Labs Blog - RPC DNS Worm Spotted In The Wild Says:
April 16th, 2007 at 20:45
[...] Trackback [...]
Nixu Software Web Journal » Worms Exploiting Windows DNS Vulnerabilities Says:
April 17th, 2007 at 07:39
[...] * “DNS Vulnerability being Exploited in the Wild” by Symantec * “RPC DNS Worm Spotted in The Wild” by McAfee [...]

RPC DNS Worm Spotted In The Wild

3 Responses to “RPC DNS Worm Spotted In The Wild”

Leave a Reply

Archives

Categories