A public exploit code targeting MS06-040 vulnerability has been widely available over the Internet. MS06-040 security bulletin addresses a remote code execution vulnerability in Windows Server Service. Successfully exploitation of this vulnerability can allow an attacker to take complete control of the affected system. BroadWeb BSST has tested the exploit and verified its ability to compromise vulnerable hosts.

In addition to the above exploit, variants of Mocbot have appeared and they exploit MS06-040 vulnerability to spread themselves. Mcbot also use the victim’s account to send malicious URL to AOL Instant Messenger users. Unsuspecting AOL IM users may be duped to follow the malicious URL links to download and install Mocbot malware. Once installed on computers, Mocbot will scan for MS06-040 vulnerable hosts and spread themselves to those hosts.

BSST (Broadweb Security Service Team) has released the counter measure signature in signature pattern 3.52, which includes:

#1052612_EXPLOIT Server Service Remote Code Execution (MS06-040)

Broadweb BSST suggests that NetKeeper users upgrade their signature patterns to version 3.52 or later immediately in order to guard against above malware.

Broadweb Security Service Team (BSST) - Empower Your Network Security
Broadweb NetKeeper Intruder Prevention System delivers the protection against intrusion, worms, DDOS, Instant messaging, P2P , Web-Mail, and Web Post.

Reference:
Mocbot/MS06-040 IRC Bot Analysis:
http://www.lurhq.com/mocbot-ms06040.html
Microsoft Security Bulletin MS06-040:
http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx