Common Tasks

Recent Posts

Community

Email Notifications

Personal Links

Archives

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

MS05-039 -- Mocbot IRC Worm in the wild

  A new attack based on August's security bulletin MS05-039 surfaced overnight. This new threat remains at low risk currently.  This was initially reported as an MS05-047 exploit, but after further analysis McAfee has confirmed that while MS05-047 code was present, the MS05-039 exploit was used as the key method to infect unpatched PCs.

MS05-039 -- Mocbot IRC Worm in the wild
http://secunia.com/virus_information/22746/irc-mocbot/
http://www.f-secure.com/v-descs/mocbot.shtml
http://vil.nai.com/vil/content/v_136637.htm

This botnet client was spread using the MS05-039 vulnerability in October 2005. This trojan installs itself in the WINDOWS SYSTEM directory as wudpcom.exe. It creates a service called "wudpcom". Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds).

SYMPTOMS
1. Heavy netbois and microsoft-ds network traffic
2. Presense of the file wudpcom.exe in the WINDOWS SYSTEM directory
3. TCP 18067 connections to hostile websites


-- AVERT / McAfee Update Oct 23, 2005 -- After further analysis, AVERT has confirmed that this threat does not exploit MS05-047, but rather MS05-039. Initial analysis suggested the MS05-047 was being exploited due to similarities between those exploits (including overlapping code between publicly available source code), field infection reports where administrators incorrectly stated that machines were patched from MS05-039, and similarities between an earlier MS05-039 exploiting bot, where the only significant change was the exploit code being used.

Additionally, AVERT has confirmed that automated propagation has/had been configured on remote IRC servers, such that infected systems that are able to connect to the remote IRC server are immediately instructed to seek out vulnerable systems to infect them. This threat exploits the MS05-039 Microsoft Windows vulnerability.