Microsoft server worm can spread via USB

A Microsoft worm that is currently attacking business systems is also a USB worm, security vendor F-Secure has warned.

The worm, which F-Secure calls Downadup, attacks the vulnerability outlined in MS08-067, a Windows Server service flaw that was patched in October.

The worm launches a dictionary attack to attempt to crack user passwords, and uses server-side polymorphism and modification to the Access Control Lists (ACL) "to make network disinfection particularly difficult", F-Secure said in a blog post on Tuesday.

However, F-Secure said it has discovered the worm also propagates on the client side, via USB. If a person plugs a USB stick into an infected computer, the malware creates an autorun.inf file on the root of the USB drive.

The .inf file then uses either autorun or autoplay to infect any unpatched systems either when the stick is plugged into the system, or when the user double-clicks on the USB icon in My Computer in Windows Explorer.

The USB worm uses a steganographic technique to hide the autorun file in "binary garbage" to make detection more difficult, said F-Secure's chief research officer Mikko Hyppönen in a blog post on Wednesday.

The US Computer Emergency Response Team has urged IT professionals to apply the patch linked to in MS08-067.

ZDNet UK reader gareth25, who describes himself as an IT consultant from Manchester, said he has had to deal with systems infected by this worm. "I have first hand experience with this worm," wrote gareth25 in a response to a ZDNet UK story. "The connections it made outbound crashed the firewall and brought the internet down constantly. It's not exactly a one click removal either. Please patch your systems now."