Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS05-039: Zotob.A Worm -- In-the-wild


  • Please log in to reply
2 replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:08:04 PM

Posted 14 August 2005 - 08:15 AM

The Mytob worm has been modified to include MS05-039 exploitation. F-Secure gives this a MEDIUM RISK rating (2 of 3 on the Radar scale).

KEY LINKS

MS05-039: Zotob.A Worm - F-Secure (MEDIUM RISK)

MS05-039: Zotob.A Worm - F-Secure WEBLOG

MS05-039: Zotob.A Worm - F-Secure (MEDIUM RISK)

Zotob.A is a Mytob clone that spreads using a vulnerability in Windows Plug and Play service (MS05-039). Spreading using Plug and Play service vulnerability

The worm scans for systems vulnerable to Microsoft Windows Plug and Play service (MS05-039) through TCP/445. If the attack is successful, the worm instructs the remote computer to download and execute the worm from the attacker computer using FTP. The FTP server listens on port 33333 on all infected computers with the purpose of serving out the worm for other hosts that are being infected.
The downloaded file is saved as 'haha.exe' on disk.urity/Bulletin/MS05-039.mspx

Edited by KoanYorel, 14 August 2005 - 08:28 AM.


BC AdBot (Login to Remove)

 


#2 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:08:04 PM

Posted 14 August 2005 - 11:18 AM

Symantec Info
http://www.sarc.com/avcenter/venc/data/w32.zotob.a.html

Internet Storm Center
http://isc.sans.org/diary.php?date=2005-08-14

Important facts so far:
- Patch MS05-039 will protect you
- Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
- Blocking port 445 will protect you (but watch for internal infected systems)
- The FTP server does not run on port 21. It appears to pick a random high port.



#3 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:08:04 PM

Posted 14 August 2005 - 11:29 AM

McAfee Information
http://vil.nai.com/vil/content/v_135433.htm

Virus Information
Discovery Date: 08/14/2005
Origin: Unknown
Length: Varies
Type: Virus
SubType: Internet Worm
Minimum DAT: 4558 (08/15/2005)
Updated DAT: 4558 (08/15/2005)
Minimum Engine: 4.4.00
Description Added: 08/14/2005
Description Modified: 08/14/2005 9:19 AM (PT)

This self-executing worm spreads by exploiting Windows 2000 MS05-039 vulnerable systems in order to instruct those systems to download and execute the worm. On Demand Scans may detect this threat as New Malware.n with the 4451 DAT files or newer.

METHOD OF INFECTION This worm creates 16 threads to scan for infectable systems. The worm targets random class B IP addresses, sending SYN packets to TCP Port 445. When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script and launching FTP.EXE to download and execute the worm from the source system.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users