[Fwd: Conficker Worm using Metasploit payload to spread]

[hdm at metasploit.com (H D Moore)]

On Fri, 2009-01-16 at 09:29 -0500, ArcSighter Elite wrote:
> Ok, we're being used by worms?

Nope, were being used by the media; the worm copied the SRVSVC
technique, which (unreliably) determines SP0/SP1 from SP2/SP3. The worm
also took the default return addresses and DisableNX stubs; but thats
about it. The majority of the code, including the SMB stuff, is
completely unrelated.

-HD