MS06-040 -- New IRCBot attacks unpatched W/2000 systems
A generic IRCbot called MocBot by some AV vendors has been adpated to use a recently developed MS06-040 exploit. The Windows MS06-040 patch fixes critical security issues for a recently discovered "Server" service vulnerability. This protective patch was issued on August 8th by Microsoft. Now five days later, this new IRC-MocBot attack is now in the wild.
It will automatically affect unpatched W/2000 systems (unless firewall controls to block ports 139 and 445 are in place). This IRCbot can also potentially spread through AOL Instant messaging traffic.
On infected systems, it hides as a Windows Genuine Advantage (WGA) Registration service and instability will result with improper removal. Finally, Trend is reporting a 2nd variant so this new malware model may be adaptable to creating new variants to bypass AV detection as it emerges. Please install all available Microsoft security updates (esp. MS06-040) for the best level of protection.
SECURITY INFORMATION AND WARNINGS
MSRC Blog Information
Internet Storm Center bulletin
FrSIRT - Current Threat Analysis
Department of Homeland Security Warning
ANTI-VIRUS PROTECTION FOR NEW MS06-040 BASED IRC-BOT
MS06-040 - McAfee IRC-MocBot
MS06-040 - McAfee generic information on IRC bot adapted to use exploit
QUOTE: This is a detection for variants of IRC-Mocbot that exploits the Microsoft Windows Server Service Buffer Overflow MS06-040 against Windows 2000 machines. This worm spreads by exploit in the MS06-040 vulnerability. It registers itself as a "Windows Genuine Advantage Registration" Service. Stopping or disabling this service will result in system instability..(The "Windows Genuine Advantage"programs installed by Microsoft via Windows Update does not typically contain a wgareg.exe or wgavm.exe file in the WINDOWS SYSTEM directory)
MS06-040 - F-Secure Weblog and AV information
QUOTE: IRCBot.st is the first variant of this IRC backdoor-worm to use the recently discovered MS06-040 exploit to spread. After being run, the backdoor installs itself to system, modifies several security settings, connects to a remote IRC server and starts listening for commands from a remote hacker
MS06-040 - Symantec MocBot.B
MS06-040 - Trend WORM_IRCBOT.JK and WORM_IRCBOT.JL
MS06-040 - Trend WORM_IRCBOT Behavioral Diagram
QUOTE: This worm propagates by dropping copies of itself in the default network-shared folder IPC$. It can also use the popular chat application AOL Instant Messgener (AIM) as another medium in speading its copies to as many users as possible. Via AIM, this worm sends out instant messages containing a URL, where a copy of it can be downloaded, to all the contacts in an affected user's buddy list. It is important to note that this worm takes advantage of a known vulnerability in Windows' Server Service to do the mentioned propagation routines. More information on the said vulnerability can be found in the following Microsoft Web page: Microsoft Security Bulletin MS06-040 It opens random TCP ports to establish a connection with the IRC hostile IRC based servers. Once connected, it then acts as a backdoor allowing a remote malicious user to issue commands and gain privileges on the affected machine, thus effectively compromising system security. This worm also either disables or restricts several system services to let its routines run without interference.
MS06-040 - Computer Associates Cuebot.J
QUOTE: In order to spread, the worm attempts to exploit the Microsoft Windows Server service buffer overflow vulnerability. The worm searches IP addresses for potential targets, checking for vulnerable systems via port 445. It only does this if it is commanded to through its IRC controlled backdoor (see Payload section below for additional detail).
For more information on this vulnerability, please visit: