Correction: There is a worm component. (Yes, the trojan itself isn't a worm. But that overlooks the behavior of a dll, a dll dropped by Gimmiv, which is a worm. Now, that doesn't mean we're at a SQL Slammer type worm stage. This Trojan has to get into a system. But, nevertheless, I stand corrected.)
Looking at the particular trojan that blog mentioned, it seems to me to be a trojan related to the MS08–067 attacks that I took a quick look at this morning:
You can see it targeting antivirus vendors like Bitdefender, Jiangnmin, Kingsoft, Symantec, Microsoft, Rising and Trend.
And in this screen, you can see some pretty ugly stuff. This is not a nice trojan:
At any rate, I don’t want to de-emphasize the absolutely vital need to patch systems ASAP.
And, we would make an educated guess that a worm will hit soon (maybe in the next day or so).
I was stuck in meetings today and didn’t get a chance to write much more than I did earlier.
Just some quick notes on MS08-067.
– We have samples in-house of the trojans in-the-wild that are being used in targeted attacks, taking advantage of this exploit. These are currently only targeted attacks, not being used broadly by malware authors.
– It is not a light thing. The urgency is quite real — unpatched, you’ve got the spectre of another SQL Slammer, Code Red type of scenario if the malware writers create a worm. The other issue with this patch is that it affects a broad number of systems (XP, Windows 2000 and 2003 -- the Vista/2008 platform isn't at the same level of risk).
– It is an extraordinary event that pushes Microsoft to do an out-of-band update. This is a big deal for them — each update is tested on a vast number of machines. It underscores the potential seriousness of this vulnerability.
Patch like hell and let’s hope everything will be ok in the morning.