Esbot.a



Symantec’s site is also reporting another virus (technically a worm) targetting the MS05-039 vulnerability. This one is called w32.esbot.a and is also rated at level 3 on their 5 level threat assessment scale.



This one creates a mutex called mousebm so that it can only run once. It creates a file called mousebm.exe in the system folder (WinNT / Windows /as the case may be).

It runs itself as a service…

Service Name: mousebm
Display Name: Mouse Button Monitor
Description: Enables a computer to maintain synchronization with a PS/2 pointing device. Stopping or disabling this service will result in system instability.
Path to executable: %System%mousebm.exe

Inserts itself into Explorer.exe
then it modifies a registry key with

“EnableDCOM” = “N”

in the registry subkey:

HKEY_LOCAL_MACHINESoftwareMicrosoftOle

to disable DCOM.

then adds

“restrictanonymous” = “1″

to the registry subkey:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa

to restrict anonymous network share access.

It creates a readonly file at %Windir%debugdcpromo.log

connects using port 30722 to

esxt.is-a-fag.net
esxt.legi0n.net (IRC servers)
to await commands

The command set included allows…

Download and execute files
List, stop, and start processes and threads
Launch Denial of Service (DoS) attacks
Find files on local hard disks
Scans for computers and attempts to exploit the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039). If successful, the worm sends shell code to the remote machine.

All of the above from Symantecs writeup at their site. They also have removal instructions. Hopefully the attention paid to zotob will help get this one cleaned out as well since it uses the same vulnerability. It sounds as though this could be a sleeper and may not give many outward signs of infection.

Related Posts

Blog Traffic Exchange Related Posts
  • Zotob worm bites big media outlets According to several reports there are several big media outlets seeing what is reported as the zotob worm which exploits a Microsoft Windows vulnerability (MS05-039) disclosed last week. There seems to be no better way for something to make the news than for it to affect the companies that bring......
  • Windows more secure than Linux? For the last week, I've seen various headlines referring to a report from US-CERT that indicated 2005 had 5,198 security flaws reported. Out of those 2,328 were reported for Linux/Unix, 812 for Windows and 2,058 affecting more than one operating system. Now, I'm seeing all sorts of headlines about how......
  • Park Your Virus Impervious Smugness Mac (and Linux) Users [/caption] I use linux. I prefer it over Windows for many reasons. It's more resistant to viruses, less of a target, but that doesn't mean that malware or other viruses are impossible. If someone were to trick me into running something and even worse, trick me into using my administrator......
Blog Traffic Exchange Related Websites
  • Customer Service Calling Day Today, I spend an hour making a few customer service calls due to what I perceived as billing errors. The first was to Sprint. Even though I updated my address on their website, they kept the old billing address. That wasn't my big concern, though. It was the $4 of......
  • Alameda County Marinas Part 1 San Leandro Marina 40 San Leandro Marina, San Leandro, California 94577 Phone: 800.559.7245 Average water depth? 7 feet is the norm here but it is always a good idea to call ahead and double check current levels. Is there a marine stand by channel? Yes, you can reach the......
  • Blue Screen: Pc Crash or Registry Error? Kelly Liyakasa is staff writer for 6StarReviews.com. Kelly Staller is site manager at 6StarReviews.com, a site dedicated to giving YOU, the consumer, the best product and service reviews around. If you like saving time and money by having someone else review leading sites and products, then Visit our site at......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site