2007 is really starting with a bang, eh? The latest outbreak seems to be defined so far by a Windows Mutex Object service. Mutex are meant to provide mutual exclusion for resource contention to allow synchronization. Here’s what seems to happen to affected systems:
- mutex.exe starts and runs in task manager, and can restart itself if you terminate it
- attempts to contact link.hottest.es over random high ports
- kills the RPC service
- prevents regedit from running
- disables services
The first symptom appears to be loss of network connectivity.
Symantec is calling this lokkest and warns of backdoors and keyloggers. They also suggest a large number of attack vectors:
11. Spreads through Yahoo! Messenger, AOL Instant Messenger, MSN Messenger, and ICQ.
12. Spreads to SQL server and to network shares protected by weak passwords, and by exploiting the following vulnerabilities:
* Symantec Client Security and Symantec AntiVirus Elevation of Privilege (as described in Symantec Advisory SYM06-010)
* The RealVNC Remote Authentication Bypass Vulnerability (as described in Bugtraq ID 17978)
* The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS06-040)
* The Microsoft ASN.1 Library Multiple Stack-Based Buffer Overflow vulnerabilities (as described in Microsoft Security Bulletin MS04-007)
Patch, patch, patch…