Microsoft Warns Users Of Active Worm Exploiting Windows Bug

By: Rob Adams
Staff Writer
Published: Nov 27, 2008

The Security Response Center at Microsoft is warning of a worm that's attacking Windows and networks. The exploit was already patched in the latest Windows update. The worm malware has been reported by several hundred home users already.

Microsoft Corp's Security Response Center and McAfee Inc are warning Windows users of a worm that's exploiting an already patched bug. The patch was issued through Windows update about 11 days ago.

The worm, dubbed W32/Conficker.worm, is a malware that spreads within corporate networks. However, Microsoft said that several Windows home users have been infected.

The Windows worm opens a random port between 1024 and 1000. It then acts like a Web server and propagates to random computers on the network. The worm often uses a JPG extension when transferred from one computer to another via HTTP.

Once the Windows worm is copied, the name of the file is changed to a random file name with a DLL extension. It's usually saved in the local system folder on the user's PC.

There is also something entertaining about this worm. It actually patches the vulnerable API in memory so the user's PC will not be vulnerable anymore. In other words, it fixes a bug for the user.

However, before anyone thanks these malware authors for fixing a bug, they do this so that other competing malware will not take the machine over. It is also used to trick Windows update so that the real patch from Microsoft doesn't apply.