Content

W32/IRCbot.worm!MS05-039

Type
Virus
SubType
Internet Relay Chat
Discovery Date
08/16/2005
Length
10366 bytes
Minimum DAT
4560 (08/16/2005)
Updated DAT
4591 (09/27/2005)
Minimum Engine
5.1.00
Description Added
08/16/2005
Description Modified
08/19/2005 10:51 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update August 19, 2005 --
 Due to a decrease in prevalence W32/IRCbot.worm!MS05-039 is being lowered to Low-Profiled risk.
--

-- Update August 17, 2005 --
 Due to a decrease in reports of new infections, W32/IRCbot.worm!MS05-039 is being lowered to Medium risk.
--

This detection is for an Internet Relay Chat (IRC) bot worm which includes the ability to spread by exploiting systems which are not yet patched for the MS05-039 vulnerability

This worm is designed to contact a remote IRC server and wait for further instructions.

If you think that you may be infected with W32/IRCbot.worm!MS05-039, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Installation

When the file is run the virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as WINTBP.EXE.  The file can be run automatically by exploiting the MS05-039 vulnerability or by a person directly executing the worm.

Registry keys are created to load the worm at startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "wintbp.exe" = wintbp.exe

Symptoms

If this worm is run on a system which has not yet been patched for the MS05-039 vulnerability, it may reboot. 

Method of Infection

This threat scans for MS05-039 exploitable systems.  When a vulnerable system is found, it uses a buffer overflow to write the worm file to that machine via a TFTP upload on port 8594.  Blocking this port via McAfee Desktop Firewall or McAfee Personal Firewall will prevent infection even if the buffer overflow is not prevented.

Removal

AVERT DATS
Use specified engine and DAT files (or later) for detection and removal. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

McAfee Intrushield
Sigsets released on Aug 9th, 2005 will detect this as:

DCERPC: Microsoft Plug and Play Service Buffer Overflow (0x47602000)

Stinger
 Stinger has been updated to help detect and repair this threat.

McAfee Managed VirusScan
Buffer Overflow Protection blocks the worm from exploiting vulnerable systems.

McAfee Entercept
 McAfee Entercept prevents the vulnerable system from being exploited with Level 1 protection enabled.

McAfee VirusScan Enterprise 8.0i
 Buffer Overflow Protection blocks the worm from exploiting vulnerable systems.  Additionally, systems running VirusScan Enterprise with the "Prevent creation of new files in the System32 folder (.exe)" access protection rule set to "Block access" will be protected from infection, though the buffer overflow may still occur on unpatched systems.

Note: this rule if set to all processes will also block legitimate updates to files in the Windows directory, such as when applying security patches, so will need to be disabled while such legitimate activity is occurring.



The User-defined Detection feature of the Unwanted Programs Policy can also be used to prevent replication of the worm, by adding a detection for wintbp.exe as shown below

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • CME-540
  • W32.Zotob.E (Symantec)
  • W32/Tpbot-A (Sophos)
  • WORM_RBOT.CBQ (Trend)

Characteristics

Characteristics -

-- Update August 19, 2005 --
 Due to a decrease in prevalence W32/IRCbot.worm!MS05-039 is being lowered to Low-Profiled risk.
--

-- Update August 17, 2005 --
 Due to a decrease in reports of new infections, W32/IRCbot.worm!MS05-039 is being lowered to Medium risk.
--

This detection is for an Internet Relay Chat (IRC) bot worm which includes the ability to spread by exploiting systems which are not yet patched for the MS05-039 vulnerability

This worm is designed to contact a remote IRC server and wait for further instructions.

If you think that you may be infected with W32/IRCbot.worm!MS05-039, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Installation

When the file is run the virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as WINTBP.EXE.  The file can be run automatically by exploiting the MS05-039 vulnerability or by a person directly executing the worm.

Registry keys are created to load the worm at startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "wintbp.exe" = wintbp.exe

Symptoms

Symptoms -

If this worm is run on a system which has not yet been patched for the MS05-039 vulnerability, it may reboot. 

Method of Infection

Method of Infection -

This threat scans for MS05-039 exploitable systems.  When a vulnerable system is found, it uses a buffer overflow to write the worm file to that machine via a TFTP upload on port 8594.  Blocking this port via McAfee Desktop Firewall or McAfee Personal Firewall will prevent infection even if the buffer overflow is not prevented.

Removal -

Removal -

AVERT DATS
Use specified engine and DAT files (or later) for detection and removal. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

McAfee Intrushield
Sigsets released on Aug 9th, 2005 will detect this as:

DCERPC: Microsoft Plug and Play Service Buffer Overflow (0x47602000)

Stinger
 Stinger has been updated to help detect and repair this threat.

McAfee Managed VirusScan
Buffer Overflow Protection blocks the worm from exploiting vulnerable systems.

McAfee Entercept
 McAfee Entercept prevents the vulnerable system from being exploited with Level 1 protection enabled.

McAfee VirusScan Enterprise 8.0i
 Buffer Overflow Protection blocks the worm from exploiting vulnerable systems.  Additionally, systems running VirusScan Enterprise with the "Prevent creation of new files in the System32 folder (.exe)" access protection rule set to "Block access" will be protected from infection, though the buffer overflow may still occur on unpatched systems.

Note: this rule if set to all processes will also block legitimate updates to files in the Windows directory, such as when applying security patches, so will need to be disabled while such legitimate activity is occurring.



The User-defined Detection feature of the Unwanted Programs Policy can also be used to prevent replication of the worm, by adding a detection for wintbp.exe as shown below

Variants

Variants -

    N/A