MS08-067 : W32.Downadup.B
A tous ceux qui n’ont pas encore installé le patch MS08-067, il est grand temps de le faire…
W32.Downadup.B is a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). It also attempts to spread to network shares protected by weak passwords and blocks access to security-related Web sites.
Lire la description complète : W32.Downadup.B - Symantec.com
Update : On parle certainement de la même bestiole ICI.
Update from comments (thanks to Carlo Pagani) :
Quick way to kill if you are infected.
1. dir *.* /ahs in \System32 folder
2. If you see a .DLL file (not always .dll) then you are probably infected.
3. Using process explorer, search for the name you see, then close the handle of the file. If you do not find it in process explorer then it is not active yet but proceed to 4 anyway.
4. Take ownership of the file
5. Delete file
6. Check \WINDOWS\TASK for any job file that does not belong there
7. Look for Autorun.inf file in root. If there, take ownership and delete
9. Enable BITS and Auto update services as the worm disables these.
10. Update windows.