Why is the shock wave back?

Microsoft today released an emergency patch kb958644 Security Bulletin MS08-067 This is RPC Service vulnerabilities only need to be opened on the other client. 139 , 445 You can remotely obtain the Administrator permission. It is very similar to the vulnerabilities exploited by the shock wave virus, and mainly affects XP And 2003, : Http://www.microsoft.com/downloads/details.aspx? Displaylang = ZH-CN & familyid = 0d5f9b6e-9265-44b9-a376-2067b73d6a03

A worm named gimmiv. A has begun to exploit this vulnerability to spread:

 

Critical vulnerability in Server Service has only been patched by Microsoft (MS08-067), as a new worm called gimmiv. A has found to be exploiting it in-the-wild.

Once executed, the worm will drop 3 files: WINBASE. dll, basesvc. dll and syicon. DLL into the directory % System % \ WBEM \ basesvc. dll.

It will then install and start up a new service called basesvc with the display name "Windows NT baseline ". the service basesvc will force svchost.exe to load the dll winbase. dll which is specified as a servicedll parameter for basesvc.

Once loaded, WINBASE. dll will load 2 additional DLLs into the address space of the system process services.exe: basesvc. dll and syicon. dll.

After dropping and loading the aforementioned DLLs, the worm will collect system information from the compromised computer, collect passwords from the Windows Protected Storage and Outlook Express passwords cache, and post collected details to a remote host. the details are posted in an encrypted form, by using AES (Rijndael) encryption.

The collected information seems to specify if the following AV products are found to be installed on the compromised system:

• BitDefender Antivirus
• Jiangmin Antivirus
• Kingsoft Internet Security
• Kaspersky Antivirus
• Microsoft's OneCare Protection
• Rising Antivirus
• Trend Micro

Details collected by gimmiv. A are then posted to a personal profile of the user "perlbody", hosted with http://www.t35.com hosting provider. At this time, the collected details are displayed at this link.

At the time of this writing, there are 3,695 entries in that file. every line contains an encrypted string, which cocould potentially conceal current victims 'details, indirectly indicating how many victims have been compromised by this worm so far.

The worm also fetches a few files from the following locations:

• Http://summertime.1gokurimu.com
• Http://perlbody.t35.com
• Http://doradora.atzend.com

One of the downloaded files is a GIF image shown below:

The most interesting part of this worm is implemented in the DLL basesvc. dll. This dll is responsible for the network propagation of the worm.

It starts from probing other IPs from the same network by sending them a sequence of bytes "ABCDE" or "12345 ". the worm then attempts to exploit other machines by sending them a malformed RPC request and relying on a vulnerable server service. as known, Server Service uses a named pipe SRVSVC as its RPC interface, which is registered with UUID equal to 4b324fc8-1670-01d3-4268-5a47bf6ee188. in order to attack it, the worm firstly attempts to bind SRVSVC by constructing the following RPC request:

Next, gimmiv. A submits a maliciously crafted RPC request that instructs SRVSVC to canonicalize a path "\ c \.. \.. \ aaaaaaaaaaaaaaaaaaaaaaaaaaa "by calling the vulnerable RPC Request netpathcanonicalize, as shown in the traffic dump below (thanks to Don Jackson from secureworks for the provided dump ):

as this is a critical exploit, Microsoft stronugly recommends that users apply the update referred to in Security Bulletin MS08-067 immediately.