McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Promobot

Characteristics

-- Update Oct 23, 2005 --
After further analysis, AVERT has confirmed that this threat does not exploit MS05-047, but rather MS05-039.  Initial analysis suggested the MS05-047 was being exploited due to similarities between those exploits (including overlapping code between publicly available source code), field infection reports where administrators incorrectly stated that machines were patched from MS05-039, and similarities between an earlier MS05-039 exploiting bot, where the only significant change was the exploit code being used.

Additionally, AVERT has confirmed that automated propagation has/had been configured on remote IRC servers, such that infected systems that are able to connect to the remote IRC server are immediately instructed to seek out vulnerable systems to infect them.

This threat exploits the MS05-039 Microsoft Windows vulnerability.

This worm installs itself in the WINDOWS SYSTEM directory (typically c:\windows\system32) as wudpcom.exe (MD5: 996c9c3a01c9567915212332fe5c1264)  It creates a service with the following properties:

• Name: wudpcom
• Display name: Windows UDP Communication
• Description: Provides communication  between clients and servers over UDP. If this service is stopped, UDP communication between clients and servers on the network will be impaired. If this service is disabled, any services that explicitly depend on it will fail to st (the service manager truncates the text here)

This bot first attempts to connect to the following IRC servers on TCP 18067:

• bbjj.househot.com
• ypgw.wallloan.com

The bot connects to a specified channel and awaits commands, including:

• DDoS
• Scan (for vulnerable systems)
• Download / execute remote files

Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds), looking for systems vulnerable to the MS05-039 vulnerability.  When a vulnerable system is discovered, the infected host causes a buffer overflow to occur on the remote system, instructing it to download Mocbot, save it to the WINDOWS SYSTEM directory as a file named .exe and then execute it.  Unlike many exploiting bots, Mocbot doesn't use FTP or TFTP to achieve the downloading, but rather contains its own downloader code.  The remote system downloads the worm via a random TCP port..

Symptoms

• Heavy netbois and microsoft-ds network traffic
• Presense of the file wudpcom.exe in the WINDOWS SYSTEM directory
• TCP 18067 connections to bbjj.househot.com or ypgw.wallloan.com

The following registry values are also set by this threat:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole "EnableDCOM" = n
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Control\Lsa "restrictanonymous" = 1
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Control\Lsa "restrictanonymous" = 1

The worm creates a file named dcpromo.log  in the WINDOWS\DEBUG directory.

Method of Infection

This worm spreads by exploitin the MS05-039 vulnerability.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Promobot

Characteristics

Characteristics -

-- Update Oct 23, 2005 --
After further analysis, AVERT has confirmed that this threat does not exploit MS05-047, but rather MS05-039.  Initial analysis suggested the MS05-047 was being exploited due to similarities between those exploits (including overlapping code between publicly available source code), field infection reports where administrators incorrectly stated that machines were patched from MS05-039, and similarities between an earlier MS05-039 exploiting bot, where the only significant change was the exploit code being used.

Additionally, AVERT has confirmed that automated propagation has/had been configured on remote IRC servers, such that infected systems that are able to connect to the remote IRC server are immediately instructed to seek out vulnerable systems to infect them.

This threat exploits the MS05-039 Microsoft Windows vulnerability.

This worm installs itself in the WINDOWS SYSTEM directory (typically c:\windows\system32) as wudpcom.exe (MD5: 996c9c3a01c9567915212332fe5c1264)  It creates a service with the following properties:

• Name: wudpcom
• Display name: Windows UDP Communication
• Description: Provides communication  between clients and servers over UDP. If this service is stopped, UDP communication between clients and servers on the network will be impaired. If this service is disabled, any services that explicitly depend on it will fail to st (the service manager truncates the text here)

This bot first attempts to connect to the following IRC servers on TCP 18067:

• bbjj.househot.com
• ypgw.wallloan.com

The bot connects to a specified channel and awaits commands, including:

• DDoS
• Scan (for vulnerable systems)
• Download / execute remote files

Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds), looking for systems vulnerable to the MS05-039 vulnerability.  When a vulnerable system is discovered, the infected host causes a buffer overflow to occur on the remote system, instructing it to download Mocbot, save it to the WINDOWS SYSTEM directory as a file named .exe and then execute it.  Unlike many exploiting bots, Mocbot doesn't use FTP or TFTP to achieve the downloading, but rather contains its own downloader code.  The remote system downloads the worm via a random TCP port..

Symptoms

Symptoms -

• Heavy netbois and microsoft-ds network traffic
• Presense of the file wudpcom.exe in the WINDOWS SYSTEM directory
• TCP 18067 connections to bbjj.househot.com or ypgw.wallloan.com

The following registry values are also set by this threat:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole "EnableDCOM" = n
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Control\Lsa "restrictanonymous" = 1
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
  Control\Lsa "restrictanonymous" = 1

The worm creates a file named dcpromo.log  in the WINDOWS\DEBUG directory.

Method of Infection

Method of Infection -

This worm spreads by exploitin the MS05-039 vulnerability.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A