SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT

MS08-067 exploit in wild (Oct 23, 2008)


Today SonicWALL UTM Research team received samples using the newly patched MS08-067 - Windows Server Service vulnerability. We have received at least 10 distinct copies of this exploit malware. Filenames were n[x].exe (where [x]=1 or 2 or 3).

The malware is 397,312 bytes in size. When executed, it drops following malicious file in the system folder:

  • sysmgr.dll

It starts a service as "sysmgr (System Maintenance Service)" and deletes the original copy of the malware from the folder where it was executed.

It tries to communicate with following domains over HTTP:


The trojan generates a URL based on the operating system and antivirus information, in the following format: IPADDRESS/test2.php?abc=A?def=B

Where A is numeric and represents an associated type of antivirus application and B is also numeric and defines the operating system. The two values vary depending on the host computer.

It also performs following registry modifications:

  • Creates key "HKLM\System\CurrentControlSet\Services\sysmgr\Parameters".
  • Sets value "ServiceDll"="C:\WINDOWS\SYSTEM32\wbem\sysmgr.dll" in key "HKLM\System\CurrentControlSet\Services\sysmgr\Parameters".
  • Sets value "ServiceMain"="ServiceMainFunc" in key "HKLM\System\CurrentControlSet\Services\sysmgr\Parameters".
  • Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost".
  • Sets value "sysmgr"="sysmgr" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost".
  • Sets value "I"="" in key "HKLM\System\CurrentControlSet\Services\sysmgr".
  • Sets value "DisplayName"="System Maintenance Service" in key "HKLM\System\CurrentControlSet\Services\sysmgr".

This malware has a very low detection at the time of this writing: Win32/Gimmiv.A [Microsoft], Generic Dropper [McAfee], Mal/Generic-A [Sophos].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: MS08-067 (Exploit) signature.

SonicWALL has also released generic IPS signatures that will detect and prevent attacks targetting this vulnerability. Please to refer to MS08-067 Server Service Buffer Overflow (Oct 23, 2008) for a detailed description of the vulnerability.

Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
© 2019 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 14.3 | S2MSW05