Dshield has published a report of a new MS08-067 worm spreading.
"It does various things to install and hide itself on the infected
computer. It removes any System Restore points that the user has set
and disables the Windows Update Service. It looks for ADMIN$ shares on
the local network and tries to brute force the share passwords with a
builtin dictionary. At this point in time, the worm's purpose appears
to be simply to spread and infect as many computers as possible. After
January 1, 2009, it will try to reach out to a variety of web sites to
pull down an updated copy of itself. You can find examples of the
domain names in the Symantec W32.Downadup.B writeup.
The general form of the URL that it generates is: http://[GENERATED
DOMAIN NAME].[TOP LEVEL DOMAIN]/search?q=%d so you could configure
proxy servers or IDS sensors to start looking for "/search?q=%d" to
find systems on your network that may have possibly been compromised by
this worm."
Read more: http://isc.sans.org/diary.html?storyid=5596
Additional Information on MS08-067: http://www.cgisecurity.net/2008/10/emergency-micro.html
