 |
 |
 |
|
 |
 |
 |
|
 |
|
|
|||||||||
|
W32.Esbot.ABrief Description | Characteristics | Recovery | Protection | Further InformationBrief Description: -------------------- W32.Esbot.A is a worm that exploits the Windows Plug-n-Play vulnerability that you've seen recent announcements about. It opens a backdoor and attempts to spread to other vulnerable machines on internal and external networks. We have not had any reports of this worm appearing on campus yet although it has been spreading pretty rapidly worldwide. Characteristics: ------------------ When W32.Esbot.A is executed, it performs the following actions: 1 Creates the following mutex so that only one copy of the worm runs on the compromised computer: • mousebm 2 Copies itself as the following file: • %System%\mousebm.exe 3 Runs itself as the following service: Service Name: mousebm Display Name: Mouse Button Monitor Description: Enables a computer to maintain synchronization with a PS/2 pointing device. Stopping or disabling this service will result in system instability. Path to executable: %System%\mousebm.exe 4 Injects itself into explorer.exe. 5 Modifies the value: "EnableDCOM" = "N" in the registry subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Ole to disable DCOM. 6 Adds the value: "restrictanonymous" = "1" to the registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa to restrict anonymous access to network shares. 7 Creates the following empty read_only file: %Windir%\debug\dcpromo.log Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt. 8 Attempts to connect to one of the following IRC servers on TCP port 18067 to listen for IRC commands: • esxt.is-a-fag.net • esxt.legi0n.net 9 IRC commands allow the attacker to perform the following actions: • Download and execute files • List, stop, and start processes and threads • Launch Denial of Service (DoS) attacks • Find files on local hard disks • Scan for computers and attempts to exploit the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039). If successful, the worm sends shell code to the remote machine and transfers a copy of itself. Recovery: ----------- Given that this worm/trojan combination compromise machines on a system-level, formatting infected machines is recommended. A full system format is the only way to completely ensure network and data security after a compromise such as this. Protection: ------------ To prevent machines from being infected or targeted, you must install the patch for the Plug-n-Play vulnerability. There are different patch downloads depending on operating system and service pack level. For full details and downloads, see the following page. http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx Symantec virus definitions dated 8/16/2005 revision af (32) or later will detect this worm. Instructions on how to update NAV definition files are located at: http://www.upenn.edu/computing/help/doc/virus/nav/winnavupdate.html Further information: ----------------------- For further information regarding W32.Beagle.CE/Trojan.Tooso.L, see the following sites. http://www.symantec.com/avcenter/venc/data/w32.esbot.a.html http://www.f-secure.com/v-descs/ircbot_es.shtml http://vil.nai.com/vil/content/v_135493.htm http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FESBOT%2EA&VSect=P http://www.sophos.com/virusinfo/analyses/w32sdbotacg.html |
|
 |
|
|
 |
|
| Information Systems and ComputingUniversity of PennsylvaniaComments & Questions |
 |
|