Security Advisory

Microsoft Security Advisory 922437

Exploit Code Published Affecting the Server Service

Published: August 11, 2006 | Updated: August 13, 2006

Microsoft is aware of public reports regarding an attack known as Win32/Graweg exploiting the vulnerability addressed by security update MS06-040. Microsoft’s initial investigation of Win32/Graweg verified that it only affects users running Windows 2000 that have not applied the update detailed in MS06-040. Microsoft has activated its emergency response process and is continuing to investigate this issue.

The Microsoft Security Response Alliance partners as well as our own internal teams have determined that there is not widespread customer impact and have rated Win32/Graweg as a Low threat. At this time it does not appear to be a self-replicating internet-wide worm.

Microsoft continues to recommend that customers apply the August updates as soon as possible with additional urgency and consideration given to the update detailed in MS06-040. Customers can ensure that the updates are being installed by enabling the Automatic Updates feature in Windows or by using their deployment infrastructure in their enterprise or small business.

Customers who believe that they are infected or are not sure whether they are infected by Win32/Graweg should visit and choose "Protection Scan." Additionally, Windows Live OneCare from Microsoft provides detection against Win32/Graweg and its known variants.

Customers who believe they have been attacked should contact their local FBI office or report their situation to Customers outside the U.S. should contact the national law enforcement agency in their country Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1866-PCSAFETY) and international customers by using any method found at this location:

Mitigating Factors:

  • Customers who have installed the MS06-040 security update are not affected by this vulnerability.
  • While installation of the update is the recommended action, customers who have applied the mitigations as identified in MS06-040 will have minimized their exposure and potential exploitability against an attack.

General Information


Purpose of Advisory: Notification of the availability of a security update to help protect against this potential threat.

Advisory Status: As this issue is already addressed as part of the MS06-040 security bulletin, no additional update is required.

Recommendation: Install the MS06-040 security update to help protect against this vulnerability.

References Identification
CVE Reference CVE-2006-3439
Security Bulletin MS06-040

This advisory discusses the following software.

Related Software
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1

Frequently Asked Questions

What is the scope of the advisory?
Microsoft is aware of public posting of exploit code targeting the vulnerability identified in Microsoft Security Update MS06-040. This affects the software that is listed in the “Overview” section

Is this a security vulnerability that requires Microsoft to issue a security update?
No. Customers who have installed the MS06-040 security update are not affected by this vulnerability. No additional update is required.

What causes the vulnerability?
An unchecked buffer in the Server service.

How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a specially crafted message and sending the message to an affected system. The message could then cause the affected system to execute code.

What is the Server service?
The Server service provides RPC support, file print support and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC.

What might an attacker use this function to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.

Are there any known issues with installing Microsoft Security Update MS06-040 that protects against this threat?
No. Microsoft continues to encourage customers to install the update immediately.

Suggested Actions

If you have installed the update released with Security Bulletin MS06-040, you are already protected from the attack identified in the publicly posted proof of concept code. If you have not installed the update customers are in encourage to apply the mitigations identified MS06-040.

  • Keep Windows Updated
  • All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Microsoft Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
  • Block TCP ports 139 and 445 at the firewall

    This port is used to initiate a connection with the affected protocol. Blocking them at the firewall, both inbound and outbound, will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, visit the following Web site.

  • Enable advanced TCP/IP filtering on systems

    You can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.

  • Block the affected ports by using IPsec on the affected systems

    Use Internet Protocol security (IPsec) to help protect network communications. Detailed information about IPsec and about how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878.

  • Protect Your PC

    We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing anti-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site.

  • For more information about staying safe on the Internet, customers can visit theMicrosoft Security Home Page.

  • Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country. All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site.

Other Information



The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.


  • August 11, 2006: Advisory published.
  • August 13, 2006: Advisory updated to detail activity related to Win32/Graweg.

Built at 2014-04-18T13:49:36Z-07:00