Autorooter Worm – One More Reason To Patch Your Computer

Kaspersky Labs, a leading expert in information security, has detected a new Internet worm – “Autorooter”. “Autorooter” has already been sent as spam to many e-mail recipients. Fortunately, the self-replication segment of the worm is not activated so it has not spread widely yet. However, “Autorooter” attacks a breach in Windows NT, 2000 and XP that was discovered only 2 weeks ago. Kaspersky Labs experts predict that the author of “Autorooter” may well activate the self-replication functions of the worm. Therefore, Kaspersky Labs urges all users to download the necessary patch from Microsoft.

The “Autorooter” is a hybrid – part Internet worm and part backdoor Trojan. The packet consists of three components – the worm carrier, a module for file exchange by FTP and the module for attacking via the Windows breach.

The attack module acts first by performing a Buffer Overflow attack on Windows to load the remaining components. This breach was identified a few weeks ago and Microsoft has released a patch.

Once the worm itself is loaded it initiates the spread and installation of further components. Since the self-replication function of “Autorooter” is not operational currently, the worm does not continue spreading via the Internet. However, the built in FTP server module loads the “IRCbot” Trojan. This in turn, allows for the virus-writer controlling the Trojan to manipulate the infected computer.

“We believe that this version of “Autorooter” is only the experimental one. A more viable version is likely to appear and cause serious damage to the Internet”, comments Eugene Kaspersky, Head of Anti-Virus Research for Kaspersky Labs, “It is possible that the author of “Autorooter” wanted to create a network of infected computers to prepare a global virus epidemic or perform a global hacker attack”.

Kaspersky Labs anti-virus experts strongly recommend that all users download the Microsoft patch and block TCP ports 135, 139 and 445 using their firewalls.

Security measures against “Autorooter” have already been added to the Kaspersky Anti-Virus databases, while a more detailed description of the worm is available in the Kaspersky Virus Encyclopedia.




Share this