Rinbot.Q worm exploits weakness in Windows DNS Server

PandaLabs has detected Rinbot.Q, a worm that spreads by exploiting the vulnerability in the Windows DNS Server. This recently discovered vulnerability has yet to be patched by Microsoft.

“Users should be on the alert until the flaw is patched, as new malicious code exploiting this vulnerability could appear. The situation is worse still, as an exploit has already been published for this vulnerability,” explains Luis Corrons, technical director of PandaLabs.

Rinbot.Q also operates as a downloader. “This makes it even more dangerous. Once it has entered a computer by exploiting the vulnerability, the worm can download other malicious code. This gives cyber-crooks a quick and silent way of spreading their most dangerous malware,” adds Corrons.

When installed on a computer, the worm checks if there is any program, such as Ethereal, for analyzing network traffic. If there is, it eliminates it to prevent detection. Rinbot.Q also alters the registry to ensure it is run on every system startup. The worm can also spread using shared network resources.

“It would be no surprise to see a wave of worms in the coming days, like those of the Spamta family. Very often, these waves of malicious code are just a red herring to distract the attention of users and security companies, while in the meantime new code that exploits the vulnerability is silently propagating,” warns  Corrons.

All users that want to know whether their computers have been attacked by this or other malicious code can use TotalScan, the free, online solution available at: http://www.pandasoftware.com/totalscan.

They can also use the NanoScan beta (www.nanoscan.com), an online scanner that detects active malware on computers in less than one minute.