Autorooter - One More Reason To Patch Your Computer
04 Aug 2003
A new breach in Windows is under attack
Kaspersky Lab, a leading expert in information security, has detected a new Internet worm - Autorooter. Autorooter has already been sent as spam to many email recipients. Fortunately, the self-replication segment of the worm is not activated so it has not spread widely yet.
However, Autorooter attacks a breach in Windows NT, 2000 and XP that was discovered only 2 weeks ago. Kaspersky Lab experts predict that the author of Autorooter may still activate the self-replication functions of the worm. Therefore, Kaspersky Lab urges all users to download the necessary patch from Microsoft.
The Autorooter is a hybrid - part Internet worm and part backdoor Trojan. The packet consists of three components - the worm carrier, a module for file exchange by FTP and the attack module (via the Microsoft breach).
The attack module first causes an OS buffer overrun and then loads the remaining components. This breach was identified a few weeks ago and Microsoft has released a patch.
Once the worm itself is loaded it initiates the spread and installation of further components. Since the self-replication function of Autorooter is currently not operational, the worm does not continue spreading via the Internet. However, the built in FTP server module loads the trojan IRCbot. This in turn, allows for the hacker controlling the trojan to manipulate the infected computer.
"We believe that this version of Autorooter is only the experimental one. A more viable version is likely to appear and cause serious damage to the Internet", comments Eugene Kaspersky, Head of Anti-Virus Research and founder of Kaspersky Lab, "it is possible that the author of Autorooter wanted to create a network of infected computers before launching a major virus epidemic or hacker attack".
Kaspersky Lab anti-virus experts strongly recommend that all users download the Microsoft patch and block TCP ports 135, 139 and 445.
Security measures against Autorooter have already been added to the Kaspersky® Anti-Virus databases.