Classic tech archive.
From the original averyjparker.com tech blog — historical context; pair with modern guides where noted.
Full archive · Maker projects ·
Network Ninja
Classic tip · Classic
Esbot.a
Symantec's site is also reporting another virus (technically a worm) targetting the MS05-039 vulnerability. This one is called w32.esbot.a and is also rated at level 3 on their 5 level threat assessm…
Symantec's site is also reporting another virus (technically a worm) targetting the MS05-039 vulnerability. This one is called w32.esbot.a and is also rated at level 3 on their 5 level threat assessment scale.
This one creates a mutex called mousebm so that it can only run once. It creates a file called mousebm.exe in the system folder (WinNT / Windows /as the case may be).
It runs itself as a service...
Service Name: mousebm Display Name: Mouse Button Monitor Description: Enables a computer to maintain synchronization with a PS/2 pointing device. Stopping or disabling this service will result in system instability. Path to executable: %System%\mousebm.exeInserts itself into Explorer.exe then it modifies a registry key with "EnableDCOM" = "N" in the registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Ole to disable DCOM. then adds "restrictanonymous" = "1" to the registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa to restrict anonymous network share access. It creates a readonly file at %Windir%\debug\dcpromo.log connects using port 30722 to esxt.is-a-fag.net esxt.legi0n.net (IRC servers) to await commands The command set included allows... Download and execute files List, stop, and start processes and threads Launch Denial of Service (DoS) attacks Find files on local hard disks Scans for computers and attempts to exploit the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039). If successful, the worm sends shell code to the remote machine. All of the above from Symantecs writeup at their site. They also have removal instructions. Hopefully the attention paid to zotob will help get this one cleaned out as well since it uses the same vulnerability. It sounds as though this could be a sleeper and may not give many outward signs of infection.