It seems that there is a new Nirbot based worm on the loose that is exploiting the RPC DNS problem in Microsoft Windows server products. 

The worm seems to be a Nirbot variant that is using the recently discovered RPC DNS server vulnerability (CVE-2007-1748). There appear to be at least two variants of the worm with differing filenames, however they have similar characteristics.

The Nirbot worm uses IRC for command and control and these variants are no different, they can be used by the controller to launch DDoS attacks, send SPAM or distribute other potentially dangerous or illegal content.

The two variants of the worm have been known to use the two file names 'mozila.exe' and 'mdnex.exe', however these could change. The worm also attempts to download files from a couple of possibly compromised web sites, with two of the files downloaded appearing to be versions of the Nirbot worm. They also contact IRC servers on port 8080 to link up with their command and control channels.

The worm seems to be picked up by a couple of the Anti-Virus vendors including McAfee and Symantec. But like every other virus out there Nirbot is known by other names such as Rinbot by Symantec, DelBot by Sophos and VanBot by Kaspersky.

Add this page to your favorite Social Bookmarking websites