Skip navigation.
Home

Impending MS06-040 Worm? Don't Panic

With the release of the first unauthenticated remote executable exploit in a couple of years, many in the press have taken to predicting that a new worm is on the horizon. No doubt the AV companies are all prepared to disassemble, analyze, and most importantly name the new worm.

There are some things that will limit the effects of this worm. First, under XP Service Pack 2 it is widely thought that the only effect will be a denial of service attack. Where the real threat occurs is under previous service packs and older versions of Windows. Microsoft is probably the only one to comment on the percentage of Windows 2000/XP SP1 vs. XP SP2 machines available. Given my impression of organizations we have dealt with, the SP2 install set has been widely adopted.

Given all these issues, it's probably not worth getting too riled up about. Some events that should get your attention are if a reliable XP SP2 exploit payload is released, or there are a lot of non SP2 systems on your network. If the latter is the case, it's probably time to get with the program and upgrade. Don't bank on a reliable exploit not being released. Many smart people are thinking very hard about how to make this happen.

It has begun

Apparently it has begun, http://isc.sans.org/diary.php?n&storyid=1592.

Wonder if there will be a nepenthes module out for it.

Botnets attack :)

Here is the MD5 that SANS has listed: 9928a1e6601cf00d0b7826d13fb556f0

Earn eternal glory by finding this MD5 and posting it. :)

LURQH Analysis

LURQH has some details on the malware dropped at http://www.lurhq.com/mocbot-ms06040.html

It states: "Little appears to have changed between previous Mocbot variants and the new one, except the replacement of the MS05-039 exploit with that of MS06-040."

It's up

The variant ISC.SANS is reporting is in the OC database, just search for the above listed MD5 (9928a1e6601cf00d0b7826d13fb556f0).

Thanks to whoever uploaded it