Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


New Rinbot - Irc Worm Exploits Dsn Rpc Vulnerability

  • Please log in to reply
No replies to this topic

#1 harrywaldron


    Security Reporter

  • Members
  • 509 posts
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:03:59 AM

Posted 17 April 2007 - 03:23 PM

As quietman shares details of the vulnerability below, it didn't take long for this new unpatched vulnerability to be adapted into an existing worm. While this new variant is not widespread, it is important to be careful with website visitation and stay up-to-date with AV signatures, as this can help with protection until this new vulnerability is patched.

CERT: New Rinbot Variant Attempting to Exploit Microsoft Windows DNS RPC Vulnerability

US-CERT is aware of a new variant of the Rinbot worm that is currently scanning for port 1025/tcp and attempting to exploit the recent buffer overflow vulnerability in the Microsoft Windows DNS service RPC management interface. Like other variants of Rinbot, this variant is an Internet Relay Chat controlled backdoor that may provide an attacker unauthorized remote access to a compromised machine


W32/Nirbot.worm!RpcDns is an internet relay chat controlled backdoor, which provides an attacker with unauthorized remote access to the compromised computer. An attacker can gain control over the compromised computer and use it to send spam, install adware, distribute illegal content or launch a DDos attack on internet systems. This variant of the W32/Nirbot.worm.gen will also try to exploit the Microsoft DNS Server Service RPC vulnerability on DNS Server.


This worm may be dropped on a system by other malware or downloaded unknowingly by a user when visiting malicious Web sites. It may also arrive via network shares. This worm also spreads by taking advantage of the Vulnerability in RPC on Windows DNS Server to propagate across networks.

Symantec: W32.Rinbot.BC

The worm opens a random port and waits for a connection from shell code. The worm scans network for computers vulnerable to the following vulnerabilities and exploits them:

* The Microsoft DNS Server Service Could Allow Remote Code Execution (BID 23470) on TCP port 1025
* The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (BID 19409) on TCP port 139
* Symantec Client Security and Symantec AntiVirus Elevation of Privilege (BID 18107) on TCP port 2967

MORE INFORMATION: Microsoft Security Advisory (935964)
Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution


BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users