Exploit:Win32/MS08067.gen!A is a generic detection for code that attempts to exploit a vulnerability in SVCHOST.EXE. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.
On targeted hosts running Windows 2003, XP, 2000 or NT, this remote attack may be performed by an unauthenticated user. Successful exploitation of the vulnerability on systems with default installations of Windows Vista and Windows Server 2008 require authentication due to protections introduced as part of user access control (UAC) that enforce additional levels of integrity.
This exploit involves a remote attacker and a vulnerable target or host. When a vulnerable host is attacked, the attacker uses a vulnerability in the server service (SVRSVC, svchost.exe) using RPC to SMB protocol. When the vulnerability is successfully exploited, a buffer overrun condition is created that could allow remote code execution when file sharing is enabled.
In the wild, this exploit has been used by attackers to download and install a data-collecting trojan from a remote host. The trojan is detected as 'TrojanSpy:Win32/Gimmiv.A
If file sharing is enabled and the update referred to in Security Bulletin MS08-067
is not yet installed, the computer is vulnerable to this exploit and attack. This exploit requires that file sharing is enabled on the targeted system. File sharing is enabled on several scenarios though it is disabled by default in Windows XP SP2 and newer operating systems.
Analysis by Dan Kurc & Aaron Putnam
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).