Rinbot is an on-again, off-again threat that exploits a pair of long-patched vulnerabilities -- one in Microsoft Windows' Server Service fixed in August 2006, the other in Symantec's own Client Security and Symantec AntiVirus software, which were patched in June. Rinbot was last in the news a week ago when systems at Turner Broadcasting System Inc., part of Time Warner Inc. and the parent of Cable News Network LP, were reportedly attacked by Rinbot. The worm is also known as Delbot.

Shirley Powell, a spokeswoman for Turner Broadcasting, declined to identify the exploit that hit the company's network. But she confirmed in an e-mail that "we have been hit by a virus." The effect was minimal, but "repairs are ongoing," she said.

Security professionals urged users to patch their systems, but at least one said the Rinbot threat was overstated. "This is [just] one of thousands of bots crawling the Internet today," said Ken Dunham, director of VeriSign Inc.'s iDefense rapid-response team. "Some bots are more interesting than others, and some more sophisticated. There is no large global threat issue with Rinbot variants to date."

Yesterday, however, Symantec posted a warning to customers of its DeepSight threat alert network that honeypots -- deliberately unpatched and unguarded PCs that try to attract exploits for evaluation -- had detected botnet traffic connected to Rinbot's spread. In the attack against the Symantec honeypot, an exploit used the Microsoft vulnerability to compromise the PC, then downloaded a Rinbot variant.

"The botnet is trying to instruct the compromised system to download another piece of malicious code or a new variant of the Rinbot or Spybot family worm," Symantec said in its alert.