News

Worm Hits Windows 2000 in China

Despite issuing a preemptive patch two weeks ago and another warning late last week, Redmond is now investigating a bug exploiting Windows Server Service for Windows 2000 that reportedly originated in China.

The problem stems from a worm that Symantec Corp. is calling Wecorl. It's also been dubbed "MS08-67.g" by Kaspersky Lab and Microsoft. The MS08-67.g name derives from a patch tag number for the out-of-cycle bulletin issued on October 23.

Symantec security response said that the worm, which was discovered late Monday, can install a Trojan downloader and rootkit code to mask it from security software.

The latest bug affects Windows 2000 and has thus far been seen on Chinese PCs running Windows. Wecorl is similar to the bug that Microsoft was supposed to be patching two weeks ago. At that time, Microsoft described weaknesses in server service mechanisms in the Windows 2000, Windows XP and Windows Server 2003 operating systems. The weaknesses could allow for remote code execution exploits through the use of a "specially crafted" remote procedure call request.

The vulnerability can enable automatic remote interactions or subroutines between CPUs in a shared processing environment. If the worm manages to bore through into one Windows-based PC, it can also make attempts to weave its way through other workstations connected on the same subnet.

The nature of the bug, means it can get around the firewall-level blocks that Microsoft touted in its patch release, according to Andrew Storms, director of security at nCircle.

On the positive side, Microsoft knew the bug was coming, they were prepared for it and the word was out, Storms added.

"As security professionals, we have signatures for this sort of thing when it's already in play" he said. "Had it gone undetected, there wouldn't have been any baseline from which enterprises can begin to assess the threat."

That said, he cautioned that those who have not already patched the affected systems should still do so "ASAP."

Symantec assessed the worm as a "very low" risk because it originated from overseas and only affected Windows 2000. But the company also encourages installation of the previous patch and is continuing to take its cue from Microsoft's inclination that the bug constituted an emergency. For that reason, Symantec is still classifying the bug with a level 2 rating via its ThreatCon global threat rating system.

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.