Microsoft informed in its most recent security bulletin that a worm dubbed Win32/Conficker.gen!A is messing around with computers across a network by exploiting a vulnerability in the Windows Server service, allowing remote code execution to take place while file sharing is enabled.

The worm apparently searches for Windows executable ‘services.exe’ and injects itself into it, copying itself in the Windows system folder as random .dll. Furthermore, the worm adjusts the time of the dropped DLL worm copy to the same as the system’s kernel32.dll file time so as not to leave any evidence of infection time, and proceeds to modifying the registry to execute the dropped DLL worm copy as a service.

Microsoft warned the worm bypasses Windows firewall by using APIs, and also stops the Internet connection sharing service. Furthermore, it opens and listens for connection attempts on a random port in between 1024 and 10000.

The worm propagates from the host computer to other computers across a network via HTTP protocol by using a random port, and downloading copies of itself onto the other computers. Furthermore, it uses several URLs to establish the geographic location of computers, but it doesn’t seem to exploit computers located in Ukraine.

Microsoft recommended users to keep firewall enabled on their computers, to get the latest updates (details here), to keep their anti-virus software up to date, as well as be cautious when opening attachments, accepting file transfers or clicking on links.