Worm Adds MS06-040 To Four-Bug Attack Kit

A network-aware worm that's added the MS06-040 vulnerability to its bag of exploitable bugs is on the make, Symantec said Tuesday.

Dubbed "Randex.gel," the worm opens a back door on any compromised computer, then tells the system to listen for additional commands over an IRC (Internet Rely Chat) channel.

"It looks like it's a derivative of other Randex variants," said Oliver Friedrichs, director of Symantec's security response group. "But it's added the MS06-040 vulnerability."

Earlier variations of the Randex worm clan exploited other patched flaws in Windows, including three fixed by MS04-007, MS05-017, and MS05-039. The last of those, a patch that quashed a bug in Windows' Plug and Play service, was used by the Zotob worm to hammer enterprises, in particular media companies, in 2005.

Randex.gel adds the vulnerability in the Windows Server service that Microsoft patched Aug. 8 to the three-some. "It's usually just hours before [attacks] plug in new exploit code to existing worms to build something new," said Friedrichs. The exploit in Randex.gel appears to be identical, or if not, very similar to the code released two weeks ago by HD Moore of Metasploit.The new Randex variant can spread in several different ways, Symantec's analysis reported, including via the MSN Messenger, AOL Instant Messenger, Yahoo Messenger, and ICQ instant messaging clients. It will also propagate through network shares and Microsoft SQL servers. If Randex.gel finds an SQL server, it will try to execute a job to infect any databases on the system.

In addition, the worm tries to steal account information when users of the eGold electronic payment system log onto the egold.com Web site.

But although Randex packs a punch, it's not the doomsday worm some were expecting after Microsoft patched the Server service with MS06-040.

"There are a good number of systems that have been infected [by MS06-040 exploits]," said Friedrichs. "But it's not reached epidemic proportions.

"For the most part, if you've taken an aggressive approach to patching, which has been much improved on the part of both businesses and consumers, the overall impact has been low."Friedrichs also answered the general criticism that security companies and the media overplay potentially-harmful vulnerabilities, sometimes to the point of turning them into scares that end up all sizzle, no steak.

"What would happen if we didn't cry wolf?" he asked. "If we sat back, there's a good change that this might have played out to be more than it was," he argued.