MS06-040 attack information

Stepto here. It’s a late, late Saturday night.  We’ve been made aware of a recent SANS Internet Storm Center diary post several hours ago regarding an active exploit on MS06-040.  We wanted to let you know what we’ve been doing about the situation and what we know.  Our AV teams have labeled this Win32/Graweg.A and Win32/Graweg.B and have added detection to already as well as our various other offerings such as Windows Onecare.


So far, this appears to be an extremely targeted attack, very much unlike what we have seen in the past with recent internet-wide worms.  In fact, our initial investigation reveals this isn’t a worm in the “autospreading” classic sense, and it appears to target Windows 2000.


Very few customers appear to be impacted, and we want to stress that if you have the MS06-040 update installed you are not affected.


While all that could change based on the actions of the criminals, it’s important to scope the situation and take the opportunity to stress that everyone should apply this update.


We’ll be working through the night on this of course.  I want to say it again: It’s critical that everyone certainly deploy MS06-040 across their systems ASAP. But also I want to stress our initial indicators are not showing an internet-wide impact or some type of efficient automated attack.  We’ll update the blog and our other communication on this should we see that happen.  Right now, we are gathering information that we will provide to law enforcement as needed, and are sharing information with all of our Microsoft Security Response Alliance partners.


One last thing.  You’ve heard me say it a lot, but it bears repeating:


Customers who believe they have been attacked should contact their local FBI office or report their situation to Customers outside the U.S. should contact the national law enforcement agency in their country. Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location:



*This posting is provided “AS IS” with no warranties, and confers no rights.*