Microsoft is aware of public reports regarding an attack known as Win32/Graweg exploiting the vulnerability addressed by security update MS06-040. Microsoft’s initial investigation of Win32/Graweg verified that it only affects users running Windows 2000 that have not applied the update detailed in MS06-040. Microsoft has activated it’s emergency response process and is continuing to investigate this issue.

 

The Microsoft Security Response Alliance partners as well as our own internal teams have determined that we are not currently aware of widespread customer impact and have rated Win32/Graweb as a Low threat. At this time it does not appear to be an autospreading internet-wide worm.

 

Microsoft continues to recommend that customers apply the updates to the affected products by enabling the Automatic Updates feature in Windows or using their deployment infrastructure in their enterprise or small business.

 

Customers who believe that they are infected or are not sure whether they are infected by Win32/Graweb should visit Safety.live.com and choose "Protection Scan" or run the latest version of the Malicious Software Removal Tool from either Microsoft Update or Windows Update to ensure that their systems are free of infection.

 

Customers who believe they have been attacked should contact their local FBI office or report their situation to www.ic3.gov. Customers outside the U.S. should contact the national law enforcement agency in their country

 

Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location: http://support.microsoft.com/security.

Mitigating Factors:

 

·          Customers who have installed the MS06-040 security update are not affected by this vulnerability.

·          While installation of the update is the recommended action, customers who have applied the mitigations as identified in MS06-040 will have minimized their exposure and potential exploitability against an attack.

Additional Resources:

•  Security Advisory 922437 - Exploit Code Published Affecting the Server Service

http://www.microsoft.com/technet/security/advisory/922437.mspx

•  Microsoft Security Bulletin MS06-040 - Vulnerability in Server Service Could Allow Remote Code Execution (921883): http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx

•  MSRC Blog:

http://blogs.technet.com/msrc/

Note: check the MSRC Blog periodically as new information may appear there.