Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Ms06-040 -- New Ircbot Attacks Unpatched W/2000 Systems

  • Please log in to reply
1 reply to this topic

#1 harrywaldron


    Security Reporter

  • Members
  • 509 posts
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:02:17 AM

Posted 13 August 2006 - 08:09 AM

OVERVIEW: A generic IRCbot called MocBot by some AV vendors has been adpated to use a recently developed MS06-040 exploit. The Windows MS06-040 patch fixes critical security issues for a recently discovered "Server" service vulnerability. This protective patch was issued on August 8th by Microsoft. Now five days later, this new IRC-MocBot attack is now in the wild.

It will automatically affect unpatched W/2000 systems (unless firewall controls to block ports 139 and 445 are in place). This IRCbot can also potentially spread through AOL Instant messaging traffic.

On infected systems, it hides as a Windows Genuine Advantage (WGA) Registration service and instability will result with improper removal. Finally, Trend is reporting a 2nd variant so this new malware model may be adaptable to creating new variants to bypass AV detection as it emerges. Please install all available Microsoft security updates (esp. MS06-040) for the best level of protection.


MSRC Blog Information

Internet Storm Center bulletin

FrSIRT - Current Threat Analysis

Department of Homeland Security Warning


MS06-040 - McAfee IRC-MocBot

MS06-040 - McAfee generic information on IRC bot adapted to use exploit

This is a detection for variants of IRC-Mocbot that exploits the Microsoft Windows Server Service Buffer Overflow MS06-040 against Windows 2000 machines. This worm spreads by exploit in the MS06-040 vulnerability. It registers itself as a "Windows Genuine Advantage Registration" Service. Stopping or disabling this service will result in system instability..(The "Windows Genuine Advantage"programs installed by Microsoft via Windows Update does not typically contain a wgareg.exe or wgavm.exe file in the WINDOWS SYSTEM directory)

MS06-040 - F-Secure Weblog and AV information

IRCBot.st is the first variant of this IRC backdoor-worm to use the recently discovered MS06-040 exploit to spread. After being run, the backdoor installs itself to system, modifies several security settings, connects to a remote IRC server and starts listening for commands from a remote hacker

MS06-040 - Symantec MocBot.B


MS06-040 - Trend WORM_IRCBOT Behavioral Diagram

This worm propagates by dropping copies of itself in the default network-shared folder IPC$. It can also use the popular chat application AOL Instant Messgener (AIM) as another medium in speading its copies to as many users as possible. Via AIM, this worm sends out instant messages containing a URL, where a copy of it can be downloaded, to all the contacts in an affected user's buddy list. It is important to note that this worm takes advantage of a known vulnerability in Windows' Server Service to do the mentioned propagation routines. More information on the said vulnerability can be found in the following Microsoft Web page: Microsoft Security Bulletin MS06-040 It opens random TCP ports to establish a connection with the IRC hostile IRC based servers. Once connected, it then acts as a backdoor allowing a remote malicious user to issue commands and gain privileges on the affected machine, thus effectively compromising system security. This worm also either disables or restricts several system services to let its routines run without interference.

MS06-040 - Computer Associates Cuebot.J

In order to spread, the worm attempts to exploit the Microsoft Windows Server service buffer overflow vulnerability. The worm searches IP addresses for potential targets, checking for vulnerable systems via port 445. It only does this if it is commanded to through its IRC controlled backdoor (see Payload section below for additional detail).

For more information on this vulnerability, please visit:


Edited by harrywaldron, 13 August 2006 - 08:17 AM.

BC AdBot (Login to Remove)


#2 graveangel


  • Members
  • 399 posts
  • Gender:Male
  • Location:Nottingham England Home to the Hood of Robin
  • Local time:07:17 AM

Posted 13 August 2006 - 09:07 AM

Just some added info at F-Secures sight

....And on the 8th day God said, "When my children are intelligent, and create the Computer, for my sake may they never screw around with the registry or subscribe to AOL"Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users