Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: MS - new malware using an ms08-067 exploit gained momentum - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MS - new malware using an ms08-067 exploit gained momentum

In Tuesday's blog "More MS08-067 Exploits" Microsoft said that new malware using an ms08-067 exploit "gained momentum and as a result we see an increased support call volume". The article and other writeups related to this particular malware have similar information, some information not contained in each writeup includes;

Symantec W32.Downadup

...."the worm deletes any user-created System Restore points"...

...."the worm attempts to contact the following sites to obtain the current date:

    * http://www.w3.org
    *
http://www.ask.com
    *
http://www.msn.com
    *
http://www.yahoo.com
    *
http://www.google.com
    *
http://www.baidu.com

It uses the date information to generate a list of domain names.

The worm then contacts these domains in an attempt to download additional files onto the compromised computer".

Microsoft Conflicker.A

"Once a machine has been infected the worm will patch the exploited function via a simple code hook in order to prevent re-infecting a machine it has already compromised".

Other links;

F-Secure Worm:W32/Downadup.A

CA  Win32/Conficker.A

 

Patrick

193 Posts

Sign Up for Free or Log In to start participating in the conversation!