[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 633/05 - Malicious Software Exploitation of MS05-039 Plug and Play Vulnerability


- ------------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 633/05 dated 15.08.05  Time: 16:10  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ------------------------------------------------------------------------------------ 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ------------------------------------------------------------------------------------

Malicious Software Exploitation of MS05-039 Plug and Play Vulnerability


UNIRAS is aware that malicious software is exploiting a vulnerability announced by
Microsoft in a security bulletin on 9 August 2005.  It is believed that in addition 
to known new worms, botnets are exploiting the Plug and Play vulnerability detailed in 

The following web page extracts and links provide further information on W32/Zotob.A,
W32/Zotob.B and W32/Spybot (W32/Sdbot) variants.  Readers may wish to check that their 
Anti-Virus Software (AVS) is up to date and to read the website of their AVS provider 
for further information.

- -----------

Microsoft Security Advisory (899588)

"Microsoft is actively analyzing and providing guidance on a malicious worm identified 
as "Worm:Win32/Zotob.A", which is currently circulating on the Internet. The worm is a 
malicious attack which exploits the Windows Plug and Play vulnerability addressed in 
Microsoft Security Bulletin MS05-039 on August 9, 2005. Our initial investigation has 
revealed that the worm remotely attacks Windows 2000-based systems. For more 
information and to help determine if you have been infected by this worm, see the Zotob 
Security Incident Web site or the Microsoft Virus Encyclopedia.

Other versions of Windows, including Windows XP Service Pack 2 and Windows Server 2003, 
are not remotely impacted by "Worm:Win32/Zotob.A". However, there may be ways for these 
operating system versions to become infected through local user interaction or through 
other Malware that may already be installed on the system. Customers can protect against 
this worm by installing the security updates provided by the Microsoft Security Bulletin 
MS05-039 immediately."



Symantec Security Response - W32.Zotob.A

"W32.Zotob.A is a worm that spreads by exploiting the Microsoft Windows Plug and Play 
Service Vulnerability , as described in Microsoft Security Bulletin MS05-039.

W32.Zotob.A can run on, but not infect, computers running Windows 95/98/Me/NT4. Although 
computers running these operating systems cannot be infected, they can still be used to 
infect vulnerable computers that thay can connect to.

Note: Definitions prior to Aug 14, 2005 may detect this worm as W32.IRCBot."



F-Secure Virus Descriptions - Zotob.A

"The worm scans for systems vulnerable to Microsoft Windows Plug and Play service (MS05-039) 
through TCP/445. 

It creates 300 threads that connect to random IP addresses within the B-class (
network of the infected system. First it tests connection to port 445 and if successful, it 
tries to exploit the vulnerability. If the attack is successful a shell (cmd.exe) is started 
on port 8888. Through the shell port, the worm sends a ftp script which instructs the remote 
computer to download and execute the worm from the attacker computer using FTP. The FTP server 
listens on port 33333 on all infected computers with the purpose of serving out the worm for 
other hosts that are being infected. The downloaded file is saved as 'haha.exe' on disk."



McAfee Inc - W32/Zotob.worm

"This worm creates 16 threads to scan for infectable systems.  The worm targets random class B 
IP addresses, sending SYN packets to TCP Port 445.  When a vulnerable system is found, buffer 
overflow and shellcode is sent to the remote system, creating an FTP script (2pac.txt is the 
script file name) and launching FTP.EXE to download and execute the worm from the source system 
(via TCP port 33333, haha.exe is fetched). "



Sophos virus analysis - W32/Zotob-A

"W32/Zotob-A is a worm and backdoor Trojan for the Windows platform. 

W32/Zotob-A spreads to other network computers by exploiting common buffer overflow 
vulnerabilites, including LSASS (MS04-011) and PnP (MS05-039). 

W32/Zotob-A runs continuously in the background, providing a backdoor server which allows 
a remote intruder to gain access and control over the computer."


- -----------

As Zotob.B is a variant of Zotob.A, the functionality is similar.  
The following URLs provide further information about this worm:

Symantec Security Response - W32.Zotob.B

F-Secure Virus Descriptions - Zotob.B  

McAfee Inc - W32/Zotob.worm.b          

Sophos virus analysis - W32/Zotob-B

W32.Spybot (Sdbot) Variants
- ---------------------------

McAfee Inc. - W32/Sdbot.worm!MS05-039 

"In typical Sdbot evolutionary fashion, MS05-039 exploit code has been added to the Sdbot 
virus family.  The same activity happened around DcomRPC, LSASS, and a host of other common 
vulnerabilities.  This description covers the initial MS05-039 flavored Sdbot.  At least one 
other MS05-039 exploiting Sdbot variant is known to exist, and at least 3 other SVKP repacks 
are also known.


"They may be seen with the file names pnpsrv.exe or winpnp.exe.  It contains the same MS05-039 
exploit code that is present in W32/Zotob.worm , and is believed to have been written by the same 
author.  The exploit propagation code works in the same fashion, by instructing remote systems 
to FTP the virus from the infected host to download and execute it locally"



Symantec Security Response - W32.Spybot.UBH

"W32.Spybot.UBH is a worm that has distributed denial of service and back door capabilities. 
The worm spreads by using the vulnerability in Microsoft Windows Plug and Play Service (as 
described in Microsoft Security Bulletin MS05-039)."


- --------------

- ------------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ------------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Microsoft, Symantec, F-Secure,
McAfee, and Sophos for the information contained in this Briefing. 
- ------------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ------------------------------------------------------------------------------------
<End of UNIRAS Briefing>

Version: PGP 8.0


This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 

This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email