The worm, identified as W32.Downadup by Symantec and F-Secure, and as W.32 Conficker by McAfee, targets the MS-08-067 vulnerability that was discovered by Microsoft in October.
The worm analyses the version of the operating system to determine how it will install itself as a service, according to McAfee, which added that it then downloads more malware, and sets up an HTTP server to listen for communication with the affected system. It also attempts to infect other machines on the local network.
In its post on the subject, Microsoft adds that the malware then patches the exploit, presumably so that other malware cannot infect the target machine and displace it.
The vulnerability, which was considered so severe that Microsoft issued an emergency patch for it, lies in the Windows Server service. A maliciously-coded remote procedure call could enable attackers to execute arbitrary code on the machine, said the software vendor. A patch has been available for a month, leaving bloggers at McAfee Avert Labs shaking their heads in dismay over people that still haven’t applied it.