RE: MS05-039 Scanner

From: Steve.Cummings@barclayscapital.com
Date: Tue Aug 16 2005 - 03:51:08 EDT

• Next message: Base64: "Re: MS05-039 Scanner"
• Previous message: michael_black@comcast.net: "MS05-039 Scanner"
• Maybe in reply to: michael_black@comcast.net: "MS05-039 Scanner"
• Next in thread: Base64: "Re: MS05-039 Scanner"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Attack vectors are over TCP ports 139 and 445.
Opens up a FTP server on TCP port 33333 to propagate the worm to other
systems.
Attempts to contact an IRC server at wait.atillaekici.net - 84.244.1.11
to distribute compromised system information.
Generates random IP addresses to attempt compromise using the MS05-039
vulnerability.
Affects Windows 2000 and XP with NT4 a possibility but is unconfirmed.
Once a system is compromised, it then downloads the backdoor payload
from the infecting system's FTP server (on TCP port 33333).
Creates a mutex called "B-O-T-Z-O-R" (minus the speech marks).
Creates a file called %system%\botzor.exe for Zotob.A or
%system%\csm.exe for Zotob.B.
The worm creates the following registry entries so that it runs every
time Windows starts.

Zotob.A:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WINDOW
S SYSTEM" = "botzor.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
\"WINDOWS SYSTEM" = "botzor.exe"

Zotob.B:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"csm
Win Updates" = "csm.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
\"csm Win Updates" = "csm.exe"

The worm also modifies the following registry key to change the Startup
type of Windows Firewall/Internet Connection Sharing (ICS) to
"Disabled":
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\"Start
" = "0x00000004".
Modifies the hosts file (%system%\drivers\etc\hosts) to blackhole the
major AV vendors website and others by routing them to 127.0.0.1.

Above compiled from various sources

Might help you

Regards

Steve Cummings

-----Original Message-----
From: michael_black@comcast.net [mailto:michael_black@comcast.net]
Sent: 16 August 2005 03:21
To: pen-test@securityfocus.com
Subject: MS05-039 Scanner

All,

Does anyone know of any available scanners for this vulnerability? I
know Tenable has a plugin for Nessus and eEye has a free one for up to
16 hosts, but I need one for a Class B network and I need it tonight
(long story, but I am sure some of you understand management pressures).
I know eEye sells a version of theirs for larger networks, but I cannot
get anyone on the phone at either Tenable or eEye, any suggestions?

------------------------------------------------------------------------
------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You
Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
------------------------------------------------------------------------
-------

------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.

Internet communications are not secure and therefore the Barclays
Group does not accept legal responsibility for the contents of this
message. Although the Barclays Group operates anti-virus programmes,
it does not accept responsibility for any damage whatsoever that is
caused by viruses being passed. Any views or opinions presented are
solely those of the author and do not necessarily represent those of the
Barclays Group. Replies to this email may be monitored by the Barclays
Group for operational or business reasons.

------------------------------------------------------------------------

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------

• Next message: Base64: "Re: MS05-039 Scanner"
• Previous message: michael_black@comcast.net: "MS05-039 Scanner"
• Maybe in reply to: michael_black@comcast.net: "MS05-039 Scanner"
• Next in thread: Base64: "Re: MS05-039 Scanner"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:45 EDT