By Graeme Wearden
Special to CNET News.com
August 1, 2006
Virus writers in Austria have reportedly developed malicious code that
targets Windows PowerShell, the command line interface shell and
scripting language product being developed by Microsoft.
Security company McAfee warned this week that it had detected the
worm, called MSH/Cibyz.
MSH/Cibyz is designed to spread using the Kazaa file-sharing network,
and the worm runs in PowerShell, which is due to ship in the second
half of this year. PowerShell, formerly known as Monad, will underpin
future Microsoft products such as Exchange Server 2007.
The worm doesn't exploit a specific security hole in PowerShell.
Instead, it abuses the product's ability to execute scripts by
attempting to trick users into downloading and running malicious code.
To do this, it uses a series of product names that may be attractive
to Kazaa users. If run, the worm will overwrite some file types,
change registry details and place itself in the machine's Kazaa shared
folder in order to spread.
This type of threat isn't specific to PowerShell, and has existed for
many years. It's likely that most commercial malware protection would
be able to detect and remove a worm that behaved in this way. McAfee
said its own security software will offer protection, but users should
also be cautious when receiving files from P2P networks.
It's thought that the group behind MSH/Cibyz was also responsible for
a virus last summer targeting PowerShell. F-Secure was criticized for
identifying this as "the first virus to target Vista." At the time,
PowerShell was expected to be included in Vista, but Microsoft
subsequently laid out a separate release schedule for the product.
Jonathan Bennett of ZDNet UK contributed to this report.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.