MS08-067 Gone To Worm

A worm has been spotted in the wild that is exploiting the MS08-067 vulnerability for which Microsoft released an out-of-band update for yesterday. We urge you to update as soon as possible as there is now working code in the wild. All servers should be patched, especially external ones. If for some reason you have RPC exposed to the world, a very close look should be given to those systems as they may have already been compromised. Internal systems should be patched as soon as possible since this is now a worm, a worm that could be brought in through laptops or other means of access.
A little info on the worm itself, it has been dubbed Gimmiv.A. When the worm executes it will drop three files, winbase.dll, basesvc.dll and syicon.dll into the %System%\Wbem\basesvc.dll. It will then install a service named BaseSvc which will then force svchost.exe to load the trojan dlls. The trojan will collect data from the machine, including passwords, and send them to a remote machine.

Leave a Reply