Microsoft said Wednesday that it is continuing to track new malware attempting to exploit the remote procedure call (RPC) flaw and gain access to critical files.
Christopher Budd, security program manager in the Microsoft Security Response Center, said the malware in the wild represents a significant threat, but most customers have deployed the patch relatively quickly.
"And while so far, none of these attacks are the broad, fast-moving, self-replicating attacks people usually think of when they hear the word 'worm', they do underscore the importance of deploying this update if you haven't already," Budd said in the MSRC blog.
The software giant warned in its MS08-067 emergency bulletin that the flaw could be used by an attacker to craft a wormable exploit. Hours after an out-of-cycle patch was released, researchers discovered a new Trojan exploiting the flaw in the wild.
Researchers have discovered at least seven variants of the Trojan in the wild. The Trojans focuses on loading malware onto a vulnerable system. The flaw is rated critical on Windows 2000, XP and Windows Server 2003 and is given an important rating on Windows Vista and Windows Server 2008.
"The largest of these attacks are those associated with Clort family and we've seen well below fifty attacks worldwide," Budd said.
Clort family is a group of Trojan variants that execute another dropped Trojan to exploit the RPC flaw. After a successful attack, other malware and adware is downloaded on a victim's machine.
Symantec's Security Response research team warned users this week that it was tracking a new worm, W32.Wecorl, that was targeting vulnerable machines in China. A second worm, W32 Kernelbot.A, has the ability to make a victim's machine a zombie, connecting it to a botnet.
"It currently contains locations for downloading additional modules (including the propagation and exploit unit) and instructions to perform DDoS attacks against various websites," Symantec said on its Security Response blog.