Playing around with Gimmiv.A (MS08-067)

 
Received some samples of the malware exploiting MS08-067 earlier today and decided to set up a little lab where I’m more or less manually installed the worm in a controlled environment.
 
Does not seem to be very advanced, but then again it’s just a dropper with worm functionality. The server that this sample tries to contact is down and therefore it cannot download the “stage 2″ software pack or send back any information. If it had been able to do so, the picture probably would have been different.
 
Recorded one of my attempts with Jing, but didn’t turn out too good. Jing ate a lot of CPU (and my testmachine is not made of muscles directly ) which made any quick movements very jumpy and in the video it looks like everything goes extremely fast in some sections. This behavior made it miss the fast, and failed, attempts to exploit another box in this subnet… argh..
 
Anyways, click here to see the video! And yeah, sorry about the Swedish OS…
 
A good technical analysis of the Gimmiv.A trojan/worm can be found on the ThreatExpert blog. More information from Microsoft and The Register.