BleepingComputer.com: MS05-039: Zotob.A Worm -- In-the-wild

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

MS05-039: Zotob.A Worm -- In-the-wild ensure you are current on MS updates

#1 User is offline   harrywaldron 

  • Security Reporter
  • PipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 509
  • Joined: 10-April 04
  • Gender:Male
  • Location:Roanoke, Virginia

  Posted 14 August 2005 - 08:15 AM

The Mytob worm has been modified to include MS05-039 exploitation. F-Secure gives this a MEDIUM RISK rating (2 of 3 on the Radar scale).

KEY LINKS

MS05-039: Zotob.A Worm - F-Secure (MEDIUM RISK)

MS05-039: Zotob.A Worm - F-Secure WEBLOG

MS05-039: Zotob.A Worm - F-Secure (MEDIUM RISK)

Zotob.A is a Mytob clone that spreads using a vulnerability in Windows Plug and Play service (MS05-039). Spreading using Plug and Play service vulnerability

The worm scans for systems vulnerable to Microsoft Windows Plug and Play service (MS05-039) through TCP/445. If the attack is successful, the worm instructs the remote computer to download and execute the worm from the attacker computer using FTP. The FTP server listens on port 33333 on all infected computers with the purpose of serving out the worm for other hosts that are being infected.
The downloaded file is saved as 'haha.exe' on disk.urity/Bulletin/MS05-039.mspx

This post has been edited by KoanYorel: 14 August 2005 - 08:28 AM

Microsoft Security Journal

#2 User is offline   harrywaldron 

  • Security Reporter
  • PipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 509
  • Joined: 10-April 04
  • Gender:Male
  • Location:Roanoke, Virginia

Posted 14 August 2005 - 11:18 AM

Symantec Info
http://www.sarc.com/avcenter/venc/data/w32.zotob.a.html

Internet Storm Center
http://isc.sans.org/diary.php?date=2005-08-14

Quote

Important facts so far:
- Patch MS05-039 will protect you
- Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
- Blocking port 445 will protect you (but watch for internal infected systems)
- The FTP server does not run on port 21. It appears to pick a random high port.

Microsoft Security Journal

#3 User is offline   harrywaldron 

  • Security Reporter
  • PipPipPipPip
  • Find Topics
  • Group: Members
  • Posts: 509
  • Joined: 10-April 04
  • Gender:Male
  • Location:Roanoke, Virginia

Posted 14 August 2005 - 11:29 AM

McAfee Information
http://vil.nai.com/vil/content/v_135433.htm

Virus Information
Discovery Date: 08/14/2005
Origin: Unknown
Length: Varies
Type: Virus
SubType: Internet Worm
Minimum DAT: 4558 (08/15/2005)
Updated DAT: 4558 (08/15/2005)
Minimum Engine: 4.4.00
Description Added: 08/14/2005
Description Modified: 08/14/2005 9:19 AM (PT)

This self-executing worm spreads by exploiting Windows 2000 MS05-039 vulnerable systems in order to instruct those systems to download and execute the worm. On Demand Scans may detect this threat as New Malware.n with the 4451 DAT files or newer.

METHOD OF INFECTION This worm creates 16 threads to scan for infectable systems. The worm targets random class B IP addresses, sending SYN packets to TCP Port 445. When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script and launching FTP.EXE to download and execute the worm from the source system.
Microsoft Security Journal

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users