IRC-Mocbot!MS06-040

This page shows details and results of our analysis on the malware IRC-Mocbot!MS06-040

Overview

This is a detection for variants of IRC-Mocbot that exploits the Microsoft Windows Server Service Buffer Overflow MS06-040 against Windows 2000 machines.

This worm installs itself in the WINDOWS SYSTEM directory (typically c:\windows\system32) as wgareg.exe (MD5: 9928a1e6601cf00d0b7826d13fb556f0)  or wgavm.exe (MD5: 2bf2a4f0bdac42f4d6f8a062a7206797). It creates a service(s) with the following properties:

  • Name: wgareg
  • Display name: Windows Genuine Advantage Registration Service
  • Description: Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.
  • Name: wgavm
  • Display name: Windows Genuine Advantage Validation Monitor
  • Description: Ensures that your copy of Microsoft Windows is genuine. Stopping or disabling this service will result in system instability..

(The "Windows Genuine Advantage"programs installed by Microsoft via Windows Update does not typically contain a wgareg.exe or wgavm.exe file in the WINDOWS SYSTEM directory)

 


Minimum Engine

5600.1067

File Length

Varies

Description Added

2006-08-13

Description Modified

2006-08-14

Malware Proliferation

Characteristics

This is a detection for a variant of IRC-Mocbot that exploits the Microsoft Windows Server Service Buffer Overflow MS06-040 against Windows 2000 machines.

This worm installs itself in the WINDOWS SYSTEM directory (typically c:\windows\system32) as wgareg.exe (MD5: 9928a1e6601cf00d0b7826d13fb556f0)  or wgavm.exe (MD5: 2bf2a4f0bdac42f4d6f8a062a7206797). It creates a service(s) with the following properties:

  • Name: wgareg
  • Display name: Windows Genuine Advantage Registration Service
  • Description: Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.
  • Name: wgavm
  • Display name: Windows Genuine Advantage Validation Monitor
  • Description: Ensures that your copy of Microsoft Windows is genuine. Stopping or disabling this service will result in system instability..

(The "Windows Genuine Advantage"programs installed by Microsoft via Windows Update does not typically contain a wgareg.exe or wgavm.exe file in the WINDOWS SYSTEM directory)

As in the older variants, this bot first attempts to connect to the following IRC servers on TCP 18067:

  • bbjj.househot.com
  • ypgw.wallloan.com

The bot connects to a specified channel and awaits commands, including:

  • DDoS
  • Scan (for vulnerable systems)
  • Download / execute remote files

Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds), looking for systems vulnerable to the MS06-040 vulnerability.  When a vulnerable system is discovered, the infected host causes a buffer overflow to occur on the remote system, instructing it to download Mocbot, save it to the WINDOWS SYSTEM directory as a file named .exe and then execute it.  Unlike many exploiting bots, Mocbot doesn't use FTP or TFTP to achieve the downloading, but rather contains its own downloader code.  The remote system downloads the worm via a random TCP port..

Symptoms

  • Heavy netbios and microsoft-ds network traffic
  • Presense of the file wgareg.exe or wgavm.exe in the WINDOWS SYSTEM directory
  • TCP 18067 connections to bniu.househot.com, bbjj.househot.com or ypgw.wallloan.com

The following registry key(s) may be added or modified to disable the Windows Security Center firewall and anti-virus monitors:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM = "n"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\antivirusdisablenotify = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\antivirusoverride = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\firewalldisablenotify = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\firewalldisableoverride = 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall = 0x00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall = 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Start = 0x00000004

 

Method of Infection

This worm spreads by exploitin the MS06-040 vulnerability.

Removal

All Users:
Please update to 4828 (08/13/2006) or later DAT release package

Intrushield protects against this threat with sigset(s) 3.1.19, 2.1.46, 1.9.63, 1.8.80 released on?/8/2006.

Buffer Overflow Protection in VirusScan Enterprise 8.0 and VirusScan Consumer 11 does NOT protect against this threat.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

This threat modifies a number of system configurations that includes disabling the default Windows Firewall on the infected machine. These changes should be manually configured.

 

Variants