SP2 users: MS06-040 worm has a message to you

What the code of W32/Sdbot.worm!MS06-040 worm actually states is:

It has this string in virus body suggesting more variants in the future.

“rBot v2 a.k.a. the next generation (working on winXP SP2)”

It will add the following Registry value too:

“JavaNet” = “rBot v2 a.k.a. the next generation (working on winXP SP2)”

It appears that Symantec uses name W32.Randex.GEL.

It is worth of noticing that if You will find file javanet.exe in Windows System directory you probably are infected.

  • http://infosysec.net Curt Purdy

    This bot worm was discovered as a 0-day on our network Friday. Luckily, our IDS immediately caught it, and we stopped it with only about 10% of our Windoze servers affected. It is a tough one to clean though and had to clean-up a couple of stragglers that popped back up this morning.

    This is the reason I push as hard as I can to move anything we can to UNIX/Linux. We are getting close to 50% now. With more application support coming for *NIX every day, as well as our deployment of more web services applications, maybe one day I can get rid of M$ completely.

    Curt Purdy
    Manager Information Security

  • Pingback: Liquidmatrix Security Digest