                      
		More MS08-067 Exploits
					  
As expected, we are seeing another wave of attacks exploiting the 
vulnerability detailed in security bulletin MS08-067.

Early last week we blogged about MS08-067 exploits. At that time, 
the number of exploits in the wild was still low and they were 
mostly targeted attacks. However, during the weekend we started 
receiving customer reports for new malware that exploits this vulnerability. 
During the last two days that malware gained momentum and as a result we 
see an increased support call volume. The SHA1 hash of the malware is 
0x5815B13044FC9248BF7C2DBA771F0E6496D9E536 and we detect it as 
Worm:Win32/Conficker.A. 

This malware mostly spreads within corporations but also was reported by 
several hundred home users. It opens a random port between port 1024 and 
10000 and acts like a web server. It propagates to random computers on 
the network by exploiting MS08-067. Once the remote computer is exploited, 
that computer will download a copy of the worm via HTTP using the random 
port opened by the worm. The worm often uses a .JPG extension when copied 
over and then it is saved to the local system folder as a random named dll.

It is also interesting to note that the worm patches the vulnerable API 
in memory so the machine will not be vulnerable anymore. It is not that 
the malware authors care so much about the computer as they want to make 
sure that other malware will not take it over too... More details are 
available in our encyclopedia write up.

Most of the reports come from users in the United States, but we also 
received reports from other countries/regions such as Germany, Spain, 
France, Italy, Taiwan, Japan, Brazil, Turkey, China, Mexico, Canada, 
Argentina and Chile. On the other hand, Worm:Win32/Conficker.A avoids 
infecting Ukrainian computers and indeed we received no reports from 
there. 

We have also found several bots that exploit MS08-067. We detect them 
as Backdoor:Win32/IRCbot.BH.

We continue to urge all our customers to install MS08-067. If you have 
installed this update, you’re already protected from this malware. 
We'll continue to monitor the situation and will post updates as necessary.