A worm that was patched by Microsoft is now attacking systems.
Microsoft rushed out the emergency patch on the 24th October, however the Wecorl worm has now been circulated. Kevin Haley, a director with Symantec's security response team, claimed that the worm may have originated in China as it appeared to target Chinese language versions of Windows 2000.
Haley also confirmed that the worm is different from the information-stealing Trojan horse that was patched, however the worm installs multiple components on victimized PCs, including a Trojan downloader and rootkit code to mask it from security software.
He said that if the worm manages to infect a Windows PC, it also tries to attack all the machines on the same subnet. F-Secure identified the Trojan as a ‘Trojan-Dropper.Win32.Agent.yhi' and the rootkit bits as ‘Rootkit.Win32.KernelBot.dg.'
Within days of the emergency patch, hackers had published working attack code on the Internet, despite Microsoft claiming at the time that “standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.”
Christopher Budd, a Microsoft Security Response Center program manager, claimed in a blog post at the time that ‘the vulnerability is potentially wormable' on older versions of Windows.