Follow:

 

Exploit:Win32/MS08067.gen!A


Exploit:Win32/MS08067.gen!A is a generic detection for code that attempts to exploit a vulnerability in SVCHOST.EXE. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.
 
On targeted hosts running Windows 2003, XP, 2000 or NT, this remote attack may be performed by an unauthenticated user. Successful exploitation of the vulnerability on systems with default installations of Windows Vista and Windows Server 2008 require authentication due to protections introduced as part of user access control (UAC) that enforce additional levels of integrity.
 
Microsoft strongly recommends that users apply the update referred to in  Security Bulletin MS08-067 immediately.


What to do now

Microsoft strongly recommends that users apply the update referred to in  Security Bulletin MS08-067 immediately.
 
Manual removal is not recommended for this threat. Use Microsoft Security Essentials or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Threat behavior

Exploit:Win32/MS08067.gen!A is a generic detection for code that attempts to exploit a vulnerability in SVCHOST.EXE. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.
 
On targeted hosts running Windows 2003, XP, 2000 or NT, this remote attack may be performed by an unauthenticated user. Successful exploitation of the vulnerability on systems with default installations of Windows Vista and Windows Server 2008 require authentication due to protections introduced as part of user access control (UAC) that enforce additional levels of integrity.
 
Microsoft strongly recommends that users apply the update referred to in  Security Bulletin MS08-067 immediately.
 
This exploit involves a remote attacker and a vulnerable target or host. When a vulnerable host is attacked, the attacker uses a vulnerability in the server service (SVRSVC, svchost.exe) using RPC to SMB protocol. When the vulnerability is successfully exploited, a buffer overrun condition is created that could allow remote code execution when file sharing is enabled.
 
In the wild, this exploit has been used by attackers to download and install a data-collecting trojan from a remote host. The trojan is detected as 'TrojanSpy:Win32/Gimmiv.A'.
Additional Information
If file sharing is enabled and the update referred to in Security Bulletin MS08-067 is not yet installed, the computer is vulnerable to this exploit and attack. This exploit requires that file sharing is enabled on the targeted system. File sharing is enabled on several scenarios though it is disabled by default in Windows XP SP2 and newer operating systems.
 
Please see Security Bulletin MS08-067  for additional details regarding this vulnerability.
 
This vulnerability is similar to that discussed in MS06-040 - Vulnerability in Server Service Could Allow Remote Code Execution.
 
Analysis by Dan Kurc & Aaron Putnam

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.45.1016.0
Latest detected by definition: 1.45.1016.0 and higher
First detected on: Oct 23, 2008
This entry was first published on: Oct 22, 2008
This entry was updated on: May 17, 2010

This threat is also detected as:
  • CVE-2008-4250 (other)