This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
4558 (2005-08-15)Updated DAT
This worm exploits the MS05-039 vulnerability. There are at least 2 other W32/Sdbot based worms know to exist that also exploit this vulnerability. They may be seen with the filenames pnpsrv.exe or winpnp.exe.
This self-executing worm spreads by exploiting Windows2000 MS05-039 vulnerable systems in order to instruct those systems to download and execute the worm.
On Demand Scans may detect this threat as New Malware.n with the 4551 DAT files or newer.
VirusScan Enterprise 8.0i and Managed VirusScan's generic buffer overflow protection protects against code execution that may result from exploitation of MS05-039.
The worm creates the file botzor.exe in the WINDOWS SYSTEM directory and registry run keys are created to load the worm at startup:
An additional registry change is made:
The HOSTS file is appended to block access to anti-virus websites. Appended HOSTS files are proactively detected as QHosts-35.
The worm contains BOT functionality. It attempts to connect to diabl0.turkcoders.net on TCP port 8080 and join a specified channel to wait for further instructions. Commands include:
This worm creates 16 threads to scan for infectable systems. The worm targets random class B IP addresses, sending SYN packets to TCP Port 445. When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script (2pac.txt is the script file name) and launching FTP.EXE to download and execute the worm from the source system (via TCP port 33333, haha.exe is fetched).
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
But in some particular cases, the following steps need to be taken.
Please go to the Microsoft Recovery Console and restore a clean MBR.
On Windows XP:
On Windows Vista and 7: