Guys,

My Kaspersky Internet Suite caught this. And I’ll go straight to the point:

It uses  port 445

Common approach is to disable the firewall port 445 to prevent such attacks, and can check the event log for the hybrid threats

It is a Critical vulnerability in Microsoft S Server Service has only been patched by Microsoft (MS08-067), and a worm called Gimmiv.A has found to be exploiting it.

Once executed, the worm will drop 3 files: winbase.dll, basesvc.dll and syicon.dll into the directory %System%Wbembasesvc.dll.

It will then install and start up a new service called BaseSvc with the display name “Windows NT Baseline”. The service BaseSvc will force svchost.exe to load the DLL winbase.dll which is specified as a ServiceDll parameter for BaseSvc.

Once loaded, winbase.dll will load 2 additional DLLs into the address space of the system process services.exe: basesvc.dll and syicon.dll.

After dropping and loading the aforementioned DLLs, the worm will collect system information from the compromised computer, collect passwords from the Windows protected storage and Outlook Express passwords cache, and post collected details to a remote host. The details are posted in an encrypted form, by using AES (Rijndael) encryption.