IRC-Mocbot

This page shows details and results of our analysis on the malware IRC-Mocbot

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5600.1067

File Length

7,846 bytes

Description Added

2005-10-23

Description Modified

2005-10-24

Malware Proliferation

Characteristics

-- Update Oct 23, 2005 --
After further analysis, AVERT has confirmed that this threat does not exploit MS05-047, but rather MS05-039.  Initial analysis suggested the MS05-047 was being exploited due to similarities between those exploits (including overlapping code between publicly available source code), field infection reports where administrators incorrectly stated that machines were patched from MS05-039, and similarities between an earlier MS05-039 exploiting bot, where the only significant change was the exploit code being used.

Additionally, AVERT has confirmed that automated propagation has/had been configured on remote IRC servers, such that infected systems that are able to connect to the remote IRC server are immediately instructed to seek out vulnerable systems to infect them.

This threat exploits the MS05-039 Microsoft Windows vulnerability.

This worm installs itself in the WINDOWS SYSTEM directory (typically c:\windows\system32) as wudpcom.exe (MD5: 996c9c3a01c9567915212332fe5c1264)  It creates a service with the following properties:

  • Name: wudpcom
  • Display name: Windows UDP Communication
  • Description: Provides communication  between clients and servers over UDP. If this service is stopped, UDP communication between clients and servers on the network will be impaired. If this service is disabled, any services that explicitly depend on it will fail to st (the service manager truncates the text here)

This bot first attempts to connect to the following IRC servers on TCP 18067:

  • bbjj.househot.com
  • ypgw.wallloan.com

The bot connects to a specified channel and awaits commands, including:

  • DDoS
  • Scan (for vulnerable systems)
  • Download / execute remote files

Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds), looking for systems vulnerable to the MS05-039 vulnerability.  When a vulnerable system is discovered, the infected host causes a buffer overflow to occur on the remote system, instructing it to download Mocbot, save it to the WINDOWS SYSTEM directory as a file named .exe and then execute it.  Unlike many exploiting bots, Mocbot doesn't use FTP or TFTP to achieve the downloading, but rather contains its own downloader code.  The remote system downloads the worm via a random TCP port..

Symptoms

  • Heavy netbois and microsoft-ds network traffic
  • Presense of the file wudpcom.exe in the WINDOWS SYSTEM directory
  • TCP 18067 connections to bbjj.househot.com or ypgw.wallloan.com

The following registry values are also set by this threat:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole "EnableDCOM" = n
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Control\Lsa "restrictanonymous" = 1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Control\Lsa "restrictanonymous" = 1

The worm creates a file named dcpromo.log  in the WINDOWS\DEBUG directory.

Method of Infection

This worm spreads by exploitin the MS05-039 vulnerability.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants