Security threats Toolkit

Proof-of-concept malware targets Windows PowerShell

Tags:
Viruses,
Malware

Graeme Wearden ZDNet.co.uk

Published: 01 Aug 2006 17:40 BST

Virus writers in Austria have reportedly developed malicious code that targets Windows PowerShell, the command line interface (CLI) shell and scripting language product being developed by Microsoft.

Security firm McAfee warned this week that it had detected the worm, called MSH/Cibyz.

MSH/Cibyz is designed to spread using the Kazaa file-sharing network, and the worm runs in PowerShell, which is due to ship in the second half of this year. PowerShell will underpin future Microsoft products such as Exchange Server 2007.

The worm doesn't exploit a specific security hole in PowerShell. Instead, it abuses the product's ability to execute scripts, by attempting to trick users into downloading and running malicious code. To do this, it uses a series of product names that may be attractive to Kazaa users. If run, the worm will overwrite some file types, change registry details and place itself in the machine's Kazaa shared folder in order to spread.

This type of threat isn't specific to PowerShell, and has existed for many years. It's likely that most commercial malware protection would be able to detect and remove a worm that behaved in this way. McAfee said its own security software will offer protection, but users should also be cautious when receiving files from P2P networks.

It's thought that the group behind MSH/Cibyz was also responsible for a virus last summer targeting PowerShell. F-Secure was criticised for identifying this as "the first virus to target Vista". At the time, PowerShell, earlier known as Monad, was expected to be included in Vista, but Microsoft subsequently laid out a separate release schedule for the product.

ZDNet UK's Jonathan Bennett contributed to this report.