Symantec’s site is also reporting another virus (technically a worm) targetting the MS05-039 vulnerability. This one is called w32.esbot.a and is also rated at level 3 on their 5 level threat assessment scale.
This one creates a mutex called mousebm so that it can only run once. It creates a file called mousebm.exe in the system folder (WinNT / Windows /as the case may be).
It runs itself as a service…
Service Name: mousebm
Display Name: Mouse Button Monitor
Description: Enables a computer to maintain synchronization with a PS/2 pointing device. Stopping or disabling this service will result in system instability.
Path to executable: %System%mousebm.exe
Inserts itself into Explorer.exe
then it modifies a registry key with
“EnableDCOM” = “N”
in the registry subkey:
to disable DCOM.
“restrictanonymous” = “1″
to the registry subkey:
to restrict anonymous network share access.
It creates a readonly file at %Windir%debugdcpromo.log
connects using port 30722 to
esxt.legi0n.net (IRC servers)
to await commands
The command set included allows…
Download and execute files
List, stop, and start processes and threads
Launch Denial of Service (DoS) attacks
Find files on local hard disks
Scans for computers and attempts to exploit the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039). If successful, the worm sends shell code to the remote machine.
All of the above from Symantecs writeup at their site. They also have removal instructions. Hopefully the attention paid to zotob will help get this one cleaned out as well since it uses the same vulnerability. It sounds as though this could be a sleeper and may not give many outward signs of infection.
Related PostsRelated Posts
- Zotob worm bites big media outlets According to several reports there are several big media outlets seeing what is reported as the zotob worm which exploits a Microsoft Windows vulnerability (MS05-039) disclosed last week. There seems to be no better way for something to make the news than for it to affect the companies that bring......
- Zero-day ( 0-day) Microsoft Word exploit There was some news on this last night at Incidents.org, today F-secure has some details as well on the trojan that's dropped in this circulating, exploit. It seems as though the initial attack was very targetted against a specific organization. Antivirus packages did not recognize the trojan that the exploit......
- The latest and greatest in Malware Removals I have started referring to malware more and more lately because the term virus doesn't exactly describe the pests I see on peoples machines and the terms spyware or adware aren't doing justice to some of these pests either. (There are many pieces of what I would consider malware that......
- Alameda County Marinas Part 1 San Leandro Marina 40 San Leandro Marina, San Leandro, California 94577 Phone: 800.559.7245 Average water depth? 7 feet is the norm here but it is always a good idea to call ahead and double check current levels. Is there a marine stand by channel? Yes, you can reach the......
- Free Registry Cleaner- Free Download Safely Scan And Repair Registry Problems A good registry cleaner can help fix several common computer ailments. If you're experiencing problems such as frequent error message, slow bootups, crashes and freezes, and overall sluggish performance, you probably have errors in the Windows registry. These errors can cause Windows to "trip" over itself when looking for files......
- Primary Advantages Of Pay Per Click Traffic Producing Providers Pay per click advertising programs, regardless of being used independently or along with an organic web optimization campaign, is a highly effective approach to get to an extensive audience and also to generate a considerable amount of pay per click traffic. Some of the benefits associated with working with a......
- Zotob details
- Zotob worm bites big media outlets
- Esbot and Zotob updates….
- Windows cleanmgr takes too long at compress old files
- If the cumulitive IE patch fails to install