Microsoft - Conficker Copycat Neeris on the Prowl

Security researchers at Microsoft reported on April 3, 2009 that a little-known old virus has been imitating the infectious tactics of Conficker, a virus that wreaked havoc in the past 15 days (March 2009-April 2009), as reported by COMPUTERWORLD on April 5, 2009.

The researchers state that MS08-067, a patched security vulnerability in the Windows Server utility, has become the target of a fresh version of Neeris, the worm that Microsoft detected as Win32/Neeris.gen!C.

Neeris was first detected in May 2005, but it is reportedly exploiting the same flaw in Windows that Conficker earlier exploited, according to Microsoft officials. The Neeris' new version emerged on March 31, 2009 and April 1, 2009, officials state.

According to the researchers, Conficker proliferated via infected computers using the tactic of adding an autorun.inf file to a USB device's directory, chiefly flash drives. Subsequently, when the USB drive was plugged into a different but uninfected PC, the autorun.inf file surreptitiously installed a copy of the Conficker worm in that system, they said.

The new Neeris sample proliferates in a similar way. Thus, with the successful execution of the exploit, Neeris is copied to the victim's system from the infected system through HTTP.

Security experts further explained, over a period of time, the virus has imbibed additional spreading tactics such as SQL (Structured Query Language) servers with frail passwords, exploiting MS06-040, and eventually exploiting MS08-067 within the current version.

Since Neeris is similar to Conficker, security companies are offering the same advice they suggested for Conficker, according to experts. Thus, users should load MS08-067, if they haven't yet done the same, as well as disable the Windows Autorun feature.

Additionally, security researchers said that as Neeris has been existing for nearly four years, it is the Conficker writers who are the copycats rather than the Neeris writers. However, since the virus' creators have revised the MS08-067 medium after Conficker (the potentiality to contaminate that vulnerability is again available), it is probable the miscreants have collaborated with each other, or at least know about each other's malware variants.

Related article: Microsoft Patches Live OneCare to Tackle Quarantined E-Mails

» SPAMfighter News - 4/11/2009