Trojan Exploits MS06-040 Windows Vulnerability, Drops Rootkit

By | September 15, 2006

A network creeping Trojan itself is insidious in nature and what if it uses a Rootkit to evade detection as well? Security Experts at MicroWorld Technologies inform that a Trojan Bot is exploiting multiple Windows vulnerabilities to spread in networks, whilst using a Rootkit component to hide its files and processes.

‘Backdoor.Rbot.ayg’ spreads via AOL Instant Messenger at its first level of proliferation. Once it is installed in the system registry, the Bot can move to other computers in the network by exploiting the recently found and patched Server Service Vulnerability-MS06-040 and earlier flaws like MS03-049 in Microsoft Windows.

Last month, MicroWorld Technologies had reported about ‘’, which exploited MS06-040, to launch a zero-day attack on targeted computers. It had an identical spreading routine using AOL Messenger and was also capable of exploiting earlier flaws in Windows.

Backdoor.Rbot.ayg uses ‘Win32.Rootkit.l’ to hide its files and processes. It communicates to the remote attacker via IRC channels and accepts and executes commands. The Bot can shutdown and restart the computer, log on to websites and download malicious code, log off current user, send files to the intruder, capture network user information and search disks for files.

Sunil Kripalani, Vice President, Global Sales and Marketing, MicroWorld Technologies, observes “If you are serious about security, you just can’t be complacent in patching vulnerabilities in Operating Systems or other applications. However, regardless of security flaws in OS or elsewhere, you must be able to rely on your AntiVirus software to protect your system from all kinds of malware types. And that will be possible only when the security software combines multiple technologies that are proactive and reactive in nature and always keeps a few steps ahead of Virus writers.”

Leave a Reply