AVERT Labs - Conficker Worm using Metasploit payload to spread

By using special Metasploit routines, the Conficker worm can determine precisely which operating system and service pack to infect systems more effectively.  This may be contributing to it's ability to spread rapidly.

AVERT Labs - Conficker Worm using Metasploit payload to spread
http://www.avertlabs.com/research/blog/index.php/2009/01/15/conficker-worm-using-metasploit-payload-to-spread/

QUOTE: Recently we got some new samples of the W32/Conficker.Worm to analyze. While investigating we found that this worm has an exploit for the recent MS08-067 vulnerability and uses the exploitation method derived from the metasploit ms08_067_netapi module to spread itself.

Metasploit also provides the “smb_fingerprint” function to detect the Windows version information, Service Pack information and also the language information of the target OS. This makes programming the worm much easier and can cause much bigger impact. By using the exploit from the metasploit module as the code base, a virus/worm programmer only needs to implement functions for automatic downloading and spreading.

Since there are a huge number of Windows XP systems it’s obvious that the worm writer did not want to miss out on this pool, hence this is why the worm determines what the Service Pack level is by accessing.