Just hours after the release of the MS08-067 security bulletin, the Gimmiv.A worm is the first real malware taking advantage of the RPC vulnerability. There’s a good writeup of what the worm does here, so I won’t repeat it. The dropsite used by the worm to post logins and passwords it captured has been closed, and it doesn’t appear to spread very fast, but at least a couple of thousand machines have been infected.
Detection signatures for this for the Snort IDS have been published by SourceFire, and most virus scanners will also recognize it by now. If you happen to find a suspicious file that might be another worm attempting to exploit this bug, you can check whether it’s recognized by the major virus scanners at virustotal. If it’s not, you can submit it to Microsoft at the MMPC.
Despite the first exploit showing up this fast, the ISC has lowered it’s threat level back to green. As they put it:
This is not because of any lowering of threat, but to return to our normal steady state. […] If you see it raise again over the weekend, you’ll know its gotten a whole lot worse.
Symantec is still at threat level 2:
A public proof-of-concept exploit has been released. We believe it’s only a matter of time until fully functional public exploits are released. It is also likely that additional bots and worms will begin to integrate this exploit into their propagation routines.