A secure democratic Net is a fundamental right

We will place the updated content as it comes available. If you have more or better in this evolving situation, please put it in the comments. The number of new stuff will be put before the text from now on.

More detailed description of vulnerabilities for each platform

and what for windows 7 beta ? Even their newest project, Windows 7.0 pre-beta, is effected. It's interesting to note that authentication can effect exploit delivery, but the same code vulnerability is maintained in the base networking code:"On Windows 7 Pre-Beta systems, the vulnerable code path is only accessible to authenticated users. This vulnerability is not liable to be triggered if the attacker is not authenticated, and therefore would be rated Important." Is "guest" considered an autenticated user on Windows 7.0?

More solutions for Vista and Windows 2008 (if we had them....)

(4) Your IDS and other protection machines (like Snort) and application or code firewalls will have or are updating their signatures. You should update them as fast as these signatures are enabled.

Best thing to do visit Windows Update or enable Automatic Updates 

Workaround    There is one other workaround option that we didn't include in the bulletin because it is not a supported scenario. The Server service exposes the vulnerable code over an RPC named pipe. The access control list for the named pipe is specified in the netapi32.dll code. It can be changed for any current Windows session. When Windows is rebooted, the ACL will get reset to the default value. However, if you were to change the ACL on every boot after the service is started, the window of attack for anonymous users would be very small. We have developed a simple tool that can remove the ANONYMOUS access control entry is the named pipe's access control list. (Please remember that this is not a supported scenario.) Attachment(s): chacl.c

Malware that uses this vulnerability according to Microsoft

TrojanSpy:Win32/Gimmiv.A is a trojan that gathers system information from the host computer on which it is installed. The trojan may delete itself after performing its data gathering routine.

TrojanSpy:Win32/Gimmiv.A.dll is a trojan that gathers system information from the host computer on which it is installed. The trojan runs as a service for a short time and may delete itself after performing its data gathering routine. More information here (different variants with all different installations like ZXELZWKO.bat or TNDXBKEI.bat or DKXDJOUA.bat and so on)

(4) From Symantec While we haven't seen wide-spread exploitation of this issue, there have been reports of a certain file, "n2.exe," being downloaded on compromised computers. This file copies another piece of malicious code onto the compromised computer. Symantec products already detect both of these files as Infostealer. It is also called Bloodhound

(5) More technical explanation of the bug and why they didn't find it before and what is the code of the patch and the EXPLOIT

But more information has been found here with more files

Sites they have tried to connect to (to block)

202.108.22.44 Host Name was requested from a host database

59.106.145.58 Internet Connection was established

downloads files from

More attack code to come  "It is very exploitable," said Immunity Security Researcher Bas Alberts. "It's a very controllable stack overflow." Stack overflow bugs are caused when a programming error allows the attacker to write a command on parts of the computer's memory that would normally be out of limits and then cause that command to be run by the victim's computer.

Sunbelt says this We have samples in-house of the trojans in-the-wild that are being used in targeted attacks, taking advantage of this exploit. These are currently only targeted attacks, not being used broadly by malware authors.

Websense is blocking already sites that uses this exploit

More attacks to come  Redmond has acknowledged that criminals have for the past three weeks been using the vulnerability to conduct targeted attacks. The source said that so far, fewer than 100 targeted attacks leveraging this flaw have been spotted by Microsoft's security team, but that Microsoft was rushing out this patch because the number of attacks appears to be increasing of late