Esbot.a



Symantec’s site is also reporting another virus (technically a worm) targetting the MS05-039 vulnerability. This one is called w32.esbot.a and is also rated at level 3 on their 5 level threat assessment scale.



This one creates a mutex called mousebm so that it can only run once. It creates a file called mousebm.exe in the system folder (WinNT / Windows /as the case may be).

It runs itself as a service…

Service Name: mousebm
Display Name: Mouse Button Monitor
Description: Enables a computer to maintain synchronization with a PS/2 pointing device. Stopping or disabling this service will result in system instability.
Path to executable: %System%mousebm.exe

Inserts itself into Explorer.exe
then it modifies a registry key with

“EnableDCOM” = “N”

in the registry subkey:

HKEY_LOCAL_MACHINESoftwareMicrosoftOle

to disable DCOM.

then adds

“restrictanonymous” = “1″

to the registry subkey:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa

to restrict anonymous network share access.

It creates a readonly file at %Windir%debugdcpromo.log

connects using port 30722 to

esxt.is-a-fag.net
esxt.legi0n.net (IRC servers)
to await commands

The command set included allows…

Download and execute files
List, stop, and start processes and threads
Launch Denial of Service (DoS) attacks
Find files on local hard disks
Scans for computers and attempts to exploit the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039). If successful, the worm sends shell code to the remote machine.

All of the above from Symantecs writeup at their site. They also have removal instructions. Hopefully the attention paid to zotob will help get this one cleaned out as well since it uses the same vulnerability. It sounds as though this could be a sleeper and may not give many outward signs of infection.

Related Posts

Blog Traffic Exchange Related Posts
  • More on the Windows WMF zero-day exploit There seems to be quite a bit developing on the Windows Meta File (WMF) zero-day (0-day) exploit which was first reported yesterday. Sans has raised their alert level to yellow in an effort to get attention to this problem. It looks like the original site serving the exploit is down,......
  • Park Your Virus Impervious Smugness Mac (and Linux) Users [/caption] I use linux. I prefer it over Windows for many reasons. It's more resistant to viruses, less of a target, but that doesn't mean that malware or other viruses are impossible. If someone were to trick me into running something and even worse, trick me into using my administrator......
  • How to Remove Antivirus 360 This should not be confused with Norton 360 which is a legitimate antivirus program (although if you need help removing Norton 360 to reinstall it or another antivirus program you may want to visit my antivirus removal tool list.) What we are talking about this time is a rogue security......
Blog Traffic Exchange Related Websites
  • Outlining The Main Contrasts Between UK And US Web Hosting Website marketing is the current trend of modern business. It seeks to exploit online resources to reach out to the public. Websites are used to educate and relay specific information to internet surfers. The process of developing sites is a long one and requires a lot of planning and expertise.......
  • Creating a Professional Corporate Blog There are three basic ingredients that are necessarily in building a successful and professional blog, which are the ability to provide high quality content, the need to develop a loyal readership, and the offering of quality products or services based on the niche or industry the blog is based in.......
  • Primary Advantages Of Pay Per Click Traffic Producing Providers Pay per click advertising programs, regardless of being used independently or along with an organic web optimization campaign, is a highly effective approach to get to an extensive audience and also to generate a considerable amount of pay per click traffic. Some of the benefits associated with working with a......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site