[Full-disclosure] Windows RPC worm (MS08-067) in the wild
Juha-Matti Laurio
juha-matti.laurio at netti.fi
Mon Nov 3 14:39:13 GMT 2008
Kaspersky detect the new wave as
Exploit.Win32.MS08-067.g
and Microsoft as
Exploit:Win32/MS08067.gen!A
Sophos uses name Mal/Generic-A.
One of the reported file size is 16,384 bytes:
http://www.threatexpert.com/report.aspx?uid=919a973d-9fe1-4196-b202-731ebaaffa5d
Windows RPC vulnerability (MS08-067) FAQ has been updated to include these detection names:
http://blogs.securiteam.com/index.php/archives/1150
Juha-Matti
Juha-Matti Laurio [juha-matti.laurio at netti.fi] kirjoitti:
> The worm-type exploitation has started. More information at
> http://www.f-secure.com/weblog/archives/00001526.html
>
> The worm component has reportdly detection name Exploit.Win32.MS08-067.g and the kernel component Rootkit.Win32.KernelBot.dg, in turn.
>
> Symantec uses Worm category too and the name W32.Wecorl:
> http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-110306-2212-99&tabid=2
>
> Juha-Matti
>
Full-Disclosure is hosted and sponsored by Secunia.