RE: cuebot-d infection method

["Matthew Neeley" <matt.neeley@xxxxxxxxxxxxxxxxxxxxxxxxxx>]

Description tab on said site.

W32/Cuebot-D is a network worm with backdoor Trojan functionality for the
Windows platform.

W32/Cuebot-D attempts to spread using a variety of techniques including the
exploitation of the PnP vulnerability (MS05-039).

A patch for the PnP operating system vulnerability exploited by W32/Cuebot-D
can be obtained from Microsoft at:

MS05-039

-----Original Message-----
From: Jeff Bryner [mailto:jbryner1@xxxxxxxxx]
Sent: Wednesday, August 24, 2005 11:03 AM
To: incidents@xxxxxxxxxxxxxxxxx
Subject: cuebot-d infection method


I've seen a couple cuebot-d infections over the last couple days and am
trying to track down the source of them. Has anyone seen enough of this
to know the universe of ways the pc gets initially infected?

The pcs that have gotten infected have mcafee running on them  which
incorrectly picks it up as W32/Sdbot.worm.gen.by when a scan is
requested. It didn't seem to pick it up *until* a scan was requested.

The writeup at http://www.sophos.com/virusinfo/analyses/w32cuebotd.html
fits the scenario, but it doesn't say exactly what the initial
infection vector is.

Thanks for any help.

Jeff
CISSP, GCIH, GCFA