0 Replies Latest reply on Oct 30, 2008 10:08 AM by HarryWaldron

    MS08-067: Trojan Gimmiv.A is not a true worm YET

      All home and corporate users should ensure they are up-to-date on Windows security patches. A Windows Update should be performed if it's not an automatic process on your system. This emergency release became available on October 23, 2008.

      So far, Troj/Gimmiv.A requires social engineering and some human intervention for the malware agents to load on unpatched Windows workstation and server operating systems. Usually, this requires visiting a malicious website or a mouse click to install the malicious software.

      A true worm will infect vulnerable systems that are simply connected to the Internet or a Local Area Network automatically, without any human intervention. Examples of past true worms include: Code Red, Blaster, SQL-Slammer, Sasser, etc. It should also be noted that some of these early variants were buggy and less effective than more steamlined later versions.
      It is hopeful that exploits related to MS08-067 will not become wormable.

      Still users should not take a chance. By patching now, they will prevent infections if a wormable threat materializes later. Information on patching this security vulnerability can be found below:

      Microsoft Security Bulletin - MS08-067 Information
      http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

      Gimmiv.A exploits critical vulnerability (MS08-067)
      http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.htm l

      QUOTE: What needs to be clarified here, is that the exploit MS08-067 used by Gimmiv.A allows remote code execution, which makes it potentially "wormable". Considering that the vector of attack is RPC DCOM and the code is similar to typical RPC DCOM network-aware worms, which is used against other hosts in the network, Gimmiv.A is determined in this post as a worm. However, it could technically be classified as a network-aware trojan that employs functionality of a typical RPC DCOM network-aware worm to attack other hosts in the network

      First Glimpse into MS08-067 Exploits In The Wild
      http://www.avertlabs.com/research/blog/index.php/2008/10/24/first-glimpse-into-m s08-067-exploits-in-the-wild/

      Gimmiv - Additional Information Links
      http://vil.nai.com/vil/content/v_152898.htm
      http://community.ca.com/blogs/securityadvisor/archive/2008/10/27/ms08-067-wormab le-vulnerability-patched.aspx
      http://www.prevx.com/blog/101/MS--GimmivA-exploits-Windows-bug.html
      http://security.blogs.techtarget.com/2008/10/24/worm-exploiting-ms08-067-rpc-vul nerability/
      https://forums.symantec.com/syment/blog/article?blog.id=vulnerabilities_exploits &thread.id=174
      http://www.networkworld.com/community/node/34429
      http://www.precisesecurity.com/threats/trojangimmiva/
      http://www.csoonline.com/article/456980/Gimmiv_Worm_Feeds_on_Latest_Microsoft_Bu g
      http://www.sophos.com/security/analyses/viruses-and-spyware/trojgimmiva.html
      http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=74604
      http://www.threatexpert.com/reports.aspx?find=gimmiv
      http://www.frsirt.com/english/virus/2008/06423