LURHQ has relased a very good analysis of the MS06-040 IRC Bot which started exploiting vulnerable systems this weekend. You can view the analysis at the LURHQ website. SANS also has a very good article on some steps to take to block or detect this on your network. Note the following:
- Lookout for laptops coming back into your internal network. Telecommuters that VPN in from home then come back to the corporate network could be vulnerable if not patched.
- Outgoing traffic to 18067/TCP bniu.househot.com, ypgw.walloan.com.
- Outgoing traffic to port 445/TCP (scans could be internal and external) looking for computers to infect.
- Anti-virus vendors may not be up-to-date with definitions so patching is your best defense right now.