Newly Found Rolark Trojan Exploits a Vulnerability in Microsoft IIS

Panda Software’s Virus Laboratory has detected the appearance of a new Trojan called Rolark (Trj/Rolark). The author of this Trojan has been extremely quick off the mark, as this malicious code is programmed to exploit a vulnerability in version 5 of Microsoft Internet Information Server, discovered on March 17.

This vulnerability is a buffer overflow in the NTDLL.DLL library used by several components, however in this case it affects the WebDAV component associated with version 5 of Internet Information Server (IIS). If a specially-crafted request were sent to WebDAV, it would provoke a buffer overflow that would allow an attacker to gain complete control of the server.

Rolark is not a typical Trojan, as it does not need to install itself on the server or create any files in order to carry out its actions. This malicious code can also be inserted in a machine and run remotely in order to use it as a launch pad for attacking other computers. By doing this, the ID of the machine from which the attack was launched would be hidden.

It is also highly recommendable to install the patch released by Microsoft that fixes the vulnerability exploited by Rolark. This patch can be downloaded from the following address.

Detailed technical information on Rolark is available from Panda Software’s Virus Encyclopedia.