NEWS FROM THE LAB - Monday, November 3, 2008

Worm Exploiting MS08-067 in the Wild Posted by Toni @ 13:34 GMT

Code building on the proof of concept binaries that were mentioned last week has moved into the wild.

We've received the first reports of a worm capable of exploiting the MS08-067 vulnerability. The exploit payload downloads a dropper that we detect as Trojan-Dropper.Win32.Agent.yhi.

The dropped components include a kernel mode DDOS-bot that currently has a selection of Chinese targets in its configuration.

The worm component is detected as Exploit.Win32.MS08-067.g and the kernel component as Rootkit.Win32.KernelBot.dg.