At least three new worm variants targeting a vulnerability in Microsoft's plug and play service have been spotted in the wild by enterprise software house Computer Associates' (CA) antivirus labs in Melbourne, with the vendor warning there is more to come over the next week.
According to CA, the new worms are also showing up in Australia with "a number of samples from .com.au domains" picked up on the vendor's antiviral scanning system.
Carrying a variety of payloads, the new worms have been identified and named as Win32.Tpbot.A, Win32.Esbot.A and Win32.Drugtob.B and all exploit the MS05-039 vulnerability.
So far the symptoms of infection include continuous rebooting. The new worms exploit a buffer overflow vulnerability in the plug and play services, running on port 445.
According to CA, "Organizations should have this blocked at the firewall, but must be wary of mobile users that connect from outside the corporate network (such as from a hotel or conference centre) and may bring an infected PC back into the network," in addition to applying the patch available from Microsoft.com.
Computerworld has contacted Microsoft Australia for comment and is awaiting a response.