A Microsoft RPC vulnerability was patched in an out-of-band release in October, but organizations slow to deploy the update are learning the hard way how fast various RPC worm variants can spread through corporate networks.
Security vendor F-Secure Corp. said it received reports of additional successful infections of corporate networks. In several F-Secure blog posts, the security vendor said the Downadup/Conficker worms are frustratingly painful to disinfect as they lock out users from their accounts and crack passwords using a built-in dictionary.
Although the worms have spread fairly slowly on the Internet, once a corporate network is infected the worm spreads like wild fire through local area networks, USB drives and other removable media, F-Secure said.
Microsoft said it received reports from customers infected by the worm. It advises customers to deploy the patch as soon as possible. The worm attempts to connect to an IRC server to download more malware and receive additional commands from an attacker.
The software giant issued an emergency patch Oct. 23, repairing the vulnerability which left Windows systems dangerously open to attack. It was only the fourth time that Microsoft released a security patch outside of its monthly cycle. Hours after the patch release, security researchers reported the discovery of the first Trojans in the wild attempting to exploit the flaw.
Disinfection tool released
"You must clean all of the computers within your network or else you risk reinfections. Servers first, then workstations," F-Secure said. "Disinfect, then use the manual Microsoft update to patch, then manually update your antivirus, then do a full system scan for all files."