August 1, 2006 4:43 PM PDT
Hackers try to crack Windows PowerShell
- Related Stories
Microsoft: Virus target won't be in VistaAugust 5, 2005
First potential virus risk for Windows Vista foundAugust 4, 2005
Security company McAfee warned this week that it had detected the worm, called MSH/Cibyz.
MSH/Cibyz is designed to spread using the Kazaa file-sharing network, and the worm runs in PowerShell, which is due to ship in the second half of this year. PowerShell, formerly known as Monad, will underpin future Microsoft products such as Exchange Server 2007.
The worm doesn't exploit a specific security hole in PowerShell. Instead, it abuses the product's ability to execute scripts by attempting to trick users into downloading and running malicious code. To do this, it uses a series of product names that may be attractive to Kazaa users. If run, the worm will overwrite some file types, change registry details and place itself in the machine's Kazaa shared folder in order to spread.
This type of threat isn't specific to PowerShell, and has existed for many years. It's likely that most commercial malware protection would be able to detect and remove a worm that behaved in this way. McAfee said its own security software will offer protection, but users should also be cautious when receiving files from P2P networks.
It's thought that the group behind MSH/Cibyz was also responsible for a virus last summer targeting PowerShell. F-Secure was criticized for identifying this as "the first virus to target Vista." At the time, PowerShell was expected to be included in Vista, but Microsoft subsequently laid out a separate release schedule for the product.
Jonathan Bennett of ZDNet UK contributed to this report.