An updated version of an old worm is targeting the same Microsoft vulnerability exploited by variants of Conficker.
This time around, MS08-067 – a patched flaw in the Windows Server service – is being targeted by a new variant of the Neeris worm. Neeris first appeared in 2005, but is now back on the scene with new functionality similar to the Conficker worm.
“It is interesting to note that this new variant of Neeris spiked on late March 31st and during April 1st,” officials at the Microsoft Malware Protection Center stated in a blog post. “However it was not downloaded by any Conficker variant and there’s no evidence that it’s related to Conficker.D’s April 1 domain algorithm
Conficker.D is also referred to by other vendors as Conficker.C, Downadup.C and other names. The worm is estimated by many security researchers to have infected millions of PCs.
The new Neeris variant is detected by Microsoft as Win32/Neeris.gen!C. Earlier versions of the worm exploited MS06-040, which addressed a vulnerability in the same Server service as MS08-067.
If the exploit is successful, the victim’s machine downloads a copy of Neeris from the attacking machine using HTTP. In addition to the Server service exploit, it also spreads through AutoRun and adds the same ‘Open folder to view files’ AutoPlay option that Conficker does.
“Neeris began as an IRC bot which spreads itself by sending links through MSN Messenger,” according to the blog post. “It still operates as an IRC bot, but over time, new spreading methods have been added. The latest variants can spread via removable drives, SQL servers with weak passwords, exploiting MS06-040, and finally exploiting MS08-067 in the latest variant.”
The new iteration of the malware tries to connect to a command and control server over port 449. According to Microsoft, the server password it uses to log-in was used by other bots last February. The malware adds itself to start every time Windows starts, and adds itself to the Safe Boot configuration as well.
Due to its similarity to Conficker, many of the same pieces of advice apply. Users should install MS08-067 if they have not already done so, and consider disabling AutoRun.
“The earliest samples of Neeris date back to May of 2005, so it seems the Conficker authors may be the copycats here,” the blog post reads. “But the Neeris authors added the MS08-067 vector later. Therefore it is possible that these miscreants somehow collaborate or at least are aware of each other’s “products.””