Thoughts from the EPS Windows Server Performance Team
Over the last couple of weeks, there has been an uptick in the number of different malware programs aimed at exploiting the vulnerability patched in MS08-067. If you’ve been monitoring the various security websites and blogs, then you’ve probably already seen information on malware such as Worm:Win32/Conficker.A and Backdoor:Win32/IRCbot.BH. The major AV software packages are configured to detect this malware, so if you’ve already patched your systems with MS08-067 and your AV software is up to date, then the odds are that you are in decent shape. Nevertheless, here’s some of the common symptoms that you may see in relation to MS08-067 exploits:
A quick word of warning here – there are other reasons that SVCHOST.EXE might be experiencing high CPU usage, or may crash – remember that if your systems are already patched, then you’re probably experiencing something other than an MS08-067 exploit. To be on the safe side, here are some ways to identify if you are the victim of the exploit:
Steps taken to identify Worm: Win32/Conficker.A
Check this RANDOMSERVICENAME service in the registry
"ImagePath"= “C:\Windows\system32\svchost.exe -k netsvcs”
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ RANDOMSERVICENAME \Parameters]
Steps taken to identify Backdoor:Win32/IRCbot.BH
Value: "MS Gaurd Driver"
With data: "%ProgramFiles%\msgaurd.exe"
Value: "SoundMAX Driver"
With data: "%ProgramFiles%\soundmax.exe"
Value: "MediaAVI Driver"
With data: "%ProgramFiles%\mediaavi.exe"
If you discover that you have an infected system, here are the next steps:
As always, if you have any questions regarding this or any other exploit on a Windows system, or if you run into difficulties with cleaning infected Windows systems, please open a Support Incident with our Security team. Below are some additional resources regarding Security and Vulnerabilities.
With that, we’ve come to the end of this post. Until next time …
- CC Hameed
How to check on DOS command prompt my CPU usage has increase? Can you show the step what should i do. I want to check if worms is inside my PC because recently it has crashed more often and some program fail to perform