Windows Server worm can spread via USB

The worm called Downadup that is attacking business systems also propagates via USB, says F-Secure.
Written by Tom Espiner, Contributor

A Microsoft worm that is currently attacking business systems is also a USB worm, security vendor F-Secure has warned.

The worm, which F-Secure calls Downadup, attacks the vulnerability outlined in MS08-067, a Windows Server service flaw that was patched in October.

The worm launches a dictionary attack to attempt to crack user passwords, and uses server-side polymorphism and modification to the Access Control Lists (ACL) "to make network disinfection particularly difficult", F-Secure said in a blog post on Tuesday.

However, F-Secure said it has discovered the worm also propagates on the client side, via USB. If a person plugs a USB stick into an infected computer, the malware creates an autorun.inf file on the root of the USB drive.

The .inf file then uses either autorun or autoplay to infect any unpatched systems either when the stick is plugged into the system, or when the user double-clicks on the USB icon in My Computer in Windows Explorer.

The USB worm uses a steganographic technique to hide the autorun file in "binary garbage" to make detection more difficult, said F-Secure's chief research officer Mikko Hyppönen in a blog post on Wednesday.

The US Computer Emergency Response Team has urged IT professionals to apply the patch linked to in MS08-067.

Editorial standards