This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
4611 (2005-10-24)Updated DAT
-- Update Oct 23, 2005 --
After further analysis, AVERT has confirmed that this threat does not exploit MS05-047, but rather MS05-039. Initial analysis suggested the MS05-047 was being exploited due to similarities between those exploits (including overlapping code between publicly available source code), field infection reports where administrators incorrectly stated that machines were patched from MS05-039, and similarities between an earlier MS05-039 exploiting bot, where the only significant change was the exploit code being used.
Additionally, AVERT has confirmed that automated propagation has/had been configured on remote IRC servers, such that infected systems that are able to connect to the remote IRC server are immediately instructed to seek out vulnerable systems to infect them.
This threat exploits the MS05-039 Microsoft Windows vulnerability.
This worm installs itself in the WINDOWS SYSTEM directory (typically c:\windows\system32) as wudpcom.exe (MD5: 996c9c3a01c9567915212332fe5c1264) It creates a service with the following properties:
This bot first attempts to connect to the following IRC servers on TCP 18067:
The bot connects to a specified channel and awaits commands, including:
Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds), looking for systems vulnerable to the MS05-039 vulnerability. When a vulnerable system is discovered, the infected host causes a buffer overflow to occur on the remote system, instructing it to download Mocbot, save it to the WINDOWS SYSTEM directory as a file named .exe and then execute it. Unlike many exploiting bots, Mocbot doesn't use FTP or TFTP to achieve the downloading, but rather contains its own downloader code. The remote system downloads the worm via a random TCP port..
The following registry values are also set by this threat:
The worm creates a file named dcpromo.log in the WINDOWS\DEBUG directory.
This worm spreads by exploitin the MS05-039 vulnerability.
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
But in some particular cases, the following steps need to be taken.
Please go to the Microsoft Recovery Console and restore a clean MBR.
On Windows XP:
On Windows Vista and 7: