MS05-039 -- Mocbot IRC Worm in the wild
This botnet client was spread using the MS05-039 vulnerability in October 2005. This trojan installs itself in the WINDOWS SYSTEM directory as wudpcom.exe. It creates a service called "wudpcom". Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds).
1. Heavy netbois and microsoft-ds network traffic
2. Presense of the file wudpcom.exe in the WINDOWS SYSTEM directory
3. TCP 18067 connections to hostile websites
Information on the MS05-047 exploit, which attacks PnP security in a similar fashion to MS05-039 is noted below:
FrSIRT has also published POC code for ms05-047 exploit
Edited by harrywaldron, 24 October 2005 - 06:55 AM.