The worms crawl in, they don't crawl out

Please pass the message on to your friends to patch their Windows 2000, XP and Server 2003 machines. (Have I harped on this enough yet?)



You should also make sure your anti-virus solution is up-to-date and that your subscription to it is in good standing. As of this writing, only about one-third of all AV venders have updated signatures to catch this particular Trojan. Expect the rest to be up to date within the week.



A Trojan is spreading around the internet this week that exploits unpatched machines, specifically MS06-040, the server component vulnerability. Called W32.Wargbot, IRC-Mocbot!MS06-040, W32/Cuebot-L, Backdoor.Win32.IRCBot.st or WORM_IRCBOT.JL by various AV venders, on infection it immediately calls out over the Internet via IRC and receives instructions to download a spam bot or Trojan called Win32.Ranky.fv. Victims machines then become mass email spam servers for a large botnet. The victims machine also continues to check the IRC command center for additional instructions, which means that the criminal that created this mess could download almost anything, at anytime, to your machine.



Silently and without your permission.



Statistics (pulled out of my rear end just now) indicate that typically only 35% of all home or small office Windows users are on Automatic Updates. The rest either update manually - but not always timely, or have never updated at all. This does not include corporate domains, where updates are generally controlled via WSUS or SMS or the like, and are tested then rolled out to end-users on their own schedule.



The potential for damage is great. See my previous posts for links to more information on how to get yourself immunized against the attack.