Re: [Full-disclosure] Windows RPC worm (MS08-067) in the wild

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Windows RPC worm (MS08-067) in the wild
From: Juha-Matti Laurio <juha-matti.laurio@xxxxxxxx>
Date: Mon, 3 Nov 2008 16:39:13 +0200 (EET)
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Kaspersky detect the new wave as
Exploit.Win32.MS08-067.g

and Microsoft as
Exploit:Win32/MS08067.gen!A

Sophos uses name Mal/Generic-A.

One of the reported file size is 16,384 bytes:
http://www.threatexpert.com/report.aspx?uid=919a973d-9fe1-4196-b202-731ebaaffa5d

Windows RPC vulnerability (MS08-067) FAQ has been updated to include these 
detection names:
http://blogs.securiteam.com/index.php/archives/1150

Juha-Matti

Juha-Matti Laurio [juha-matti.laurio@xxxxxxxx] kirjoitti:

The worm-type exploitation has started. More information at
http://www.f-secure.com/weblog/archives/00001526.html

The worm component has reportdly detection name Exploit.Win32.MS08-067.g and 
the kernel component Rootkit.Win32.KernelBot.dg, in turn.

Symantec uses Worm category too and the name W32.Wecorl:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-110306-2212-99&tabid=2

Juha-Matti

Prev by Date: DriveCMS article.php remote sql injection
Next by Date: Re: iDefense Security Advisory 10.30.08: Adobe PageMaker Key Strings Stack Buffer Overflow
Previous by thread: DriveCMS article.php remote sql injection
Next by thread: A-Link WL54AP3 and WL54AP2 CSRF+XSS vulnerability
Index(es):
- Date
- Thread