Notice:  The following information is very preliminary.  Another bulletin will be sent when more information is available.  An exploit that has both the characteristics of a worm and Trojan seems to be affecting many networks beginning Thursday June 14, 2007.  Initial reports show this Trojan worm may be another variant associated with the W32/SDBot exploit.   

Some reports say that an end user inadvertently downloads the initial malware from a website.  Other reports say that no human interaction is necessary.  Regardless of how the initial infection occurs, the Trojan worm, once installed on a single system, appears to scan and identify additional targets to exploit and then infects and replicates itself to the new system.  Existing data shows the Trojan worm affecting Microsoft operating systems.  It appears that several common ports are scanned for potential compromise including all NetBIOS ports and some Microsoft SQL ports.  

When the Trojan worm replicates itself to a domain controller, and specifically to an Active Directory server, it has the capability to modify account access for users.  This has resulted in disabled network access by many end users.  Initial reports also indicate that Windows 2000 servers are the most susceptible to this Trojan worm exploit.

As of this writing, no security vendors including antivirus and intrusion defense companies have released information on this new security event.   Microsoft systems that are at the latest patch level do seem to be much more resistant to the Trojan worm than non-patched systems.  It is therefore our recommendation that customers make an effort to ensure the patch level of their servers and workstations are up-to-date.  A priority should be made towards servers, especially Windows 2000 servers with Active Directory and other domain controllers. 

If you are unaware of how to patch your Microsoft operating systems, please call Perimeter at 800-234-2175.