Kaspersky's weblog entry of June 5th entitled "Robots,vile robots everywhere!" is a great read. While this vulnerability is one year old, there might be some folks who have only applied MS04-011 and MS03-026 for XP or 2000 to stop true Sasser and Blaster type worms.MS04-007: RBOT variant - 1st worm to exploit ASN.1 via Internet
(see June 5th weblog entry)
Investigation of the packets revealed a Microsoft ASN.1 exploit, which tries to download and run an executable from the attacking machine via TFTP. We've secured a binary and took a look under the cover. The responsible worm was a Rbot variant, ... Besides the ASN.1 exploit - and this is the first worm to use it successfully on the Internet
- the Rbot variant uses a multitude of other exploits, DCOM, RPC,Veritas Backup Exec, LSASS, MSSQL, password guessing and so on. It also steals registration keys from a good list of popular games, PayPal accounts logins, has an embedded backdoor and of course, DDoS capabilities.
Basically, it's a worm which tries very hard to spread while at the same time, it tries to steal as many valuable data from the victim machine as it is available. It is a highly infectious worm, written for profit. And yes, most of the other worms we're seeing nowadays are no different.Spybot.PKC - May be a close example of the new RBOT variant