-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Good Afternoon, CCIP wanted to update you on a worm that is installing the Gimmiv.A trojan by actively exploiting the MS08-067 Vulnerability. The emerging threats site (http://www.emergingthreats.net/index.php/component/content/article/1-latest/...) has posted a snort rule which can alert to an infected machine due to Gimmiv.A making outbound pings to google IP's addresses with a specific payload: alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gimiv Infection Ping Outbound"; icode:0; itype:8; dsize:20; content:"abcde12345fghij6789"; classtype:trojan-activity; sid:2008726; rev:1;) The emerging threats site is also hosting a set of 32 snort rules, developed by Secureworks, that will detect attempts to exploit this vulnerability: http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-... Regards, Paul. - -- Paul McKitrick Business Manager Centre for Critical Infrastructure Protection D: (+64) 4 498 7645 P: (+64) 4 498 7654 F: (+64) 4 498 7655 E: paul.mckitrick(a)ccip.govt.nz W: www.ccip.govt.nz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEVAwUBSQJjKDpQQM+EFUs7AQKWCAf/d2AJeLxul5ufdJddLivV1alJjFPpuVqX FPCQYUh4eEyNmhHjTBoqS60ikJzr//57uUVzaHbnCa/jBLRL2FRUQGb+W+pzHxlJ 6b9Cezti4Il8Qytr2p3OF32FVMOunC16f5p3OaWgfbr9zxOYIH/gbg0B8Q9kbU4d cc8ZlZ6nIPD8DTzflXcX/Q3VTHVg+o/Rio8BviaugCE6i0E9VLFlwqIc45IH7RNv c5QMlUTwjsZRiMEhH1LmleBXrjcA4mNPgqbSUWPFy7W/mb1VQwisMeF8uIdL6bRi SNg9zE93e/0YgGt1fsrjjwt44P2a2gMvkXZPSIqfNSDcxsN9PdmayA== =X3gF -----END PGP SIGNATURE----- --- This e-mail contains official New Zealand Government information, which is intended for the use of addressees only. If you have received this e-mail in error, please notify the sender immediately and delete. You should not further disseminate, distribute or copy this e-mail in any way. ---