Fun fun fun.

Rebuilt my server on monday.

Luckily I had just run complete backups.

So anyone else?

Not infected, but the flurry of excitement of rolling out emergency patches to all production servers along with IDS updating, client level patching and remediation and such is a real joy.

No problems here but I use WSUS for our network.

Quoted: Not infected, but the flurry of excitement of rolling out emergency patches to all production servers along with IDS updating, client level patching and remediation and such is a real joy.

Well to clarify, I don't think what got the server on Mon, is the same one that hit yesterday.

But yes I am having a real good time this week.

Oh well at least its not the first week of classes.

Quoted: No problems here but I use WSUS for our network.

A big same here.  Our environment has taken several steps over the years to streamline the deployment of patches, and security configurations to the 200,000 plus desktop/laptop systems.

We use a combination of SMS, WSUS, SUS, HFNETCHECKPRO, and scripts to deploy patches.  Plus our centrally controlled firewall client on desktop/laptops received a push to make sure all appropriate traffic is blocked on a receiving and sending basis.

It's no prob' with "Bob".

Quoted: It's no prob' with "Bob". www.subgenius.com/bigfist/pics2/logoart/dobbs6x9.GIF

PRAISE BOB, brother yeti!

Come on down you saucer men and take me out to space!

How do these worms work?

Required to open a bad email or something?

My servers run on Linux. What worms?

Quoted: How do these worms work? Required to open a bad email or something?

No, the requirements are to:  Have unpatched windows on a network with an infected host and then ba-da-bing, you've got it too.

WORM_ZOTOB.D


The worm actually kills spyware. LOL


File type: PE
Memory resident:  Yes
Size of malware: 51,326 Bytes
Ports used: Random, TCP port 445 (Microsoft-DS), TCP port 6667 (IRCU), TCP port 7778 (Interwise)
Initial samples received on: Aug 16, 2005
Compression type: UPX, Yoda's Cryptor
Vulnerability used:  (MS05-039) Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)
Payload 1: Compromises system security
Payload 2: Steals information
Payload 3: Displays message
Trigger condition 1: Upon finding a certain value in the system registry
Payload 4: Deletes registry entries
Payload 5: Deletes files and folders
Payload 6: Terminates processes

Details:

Installation and Autostart Technique

Upon execution, this memory-resident worm checks the value of the following registry entry:

HKEY_LOCAL_MACHINE\Software\Drudgebot
Halt

If the value of the registry entry is "TRUE" (i.e., Halt = "TRUE"), this worm displays the following message box then terminates:

Drudgebot

It proceeds to check if the mutex windrg322 exists. If it does, this worm deletes the executed file and terminates. Otherwise, it creates the following mutexes:

windrg322

windrg322-TI

It then creates the following registry entry to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
WinDrg32 = "%System%\wbev\windrg32.exe"

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops a copy of itself in the %System%\wbev folder as the file WINDRG32.EXE. It also executes the dropped file and deletes itself.

Propagation Routine

This worm takes advantage of the Microsoft Windows Plug and Play vulnerability to propagate across networks. For more information regarding this vulnerability, please refer to the following Microsoft Web page:

     Microsoft Security Bulletin MS05-039

It generates random IP addresses to target, then checks if port 445 is open on a generated target IP address. If the said port is open, it attempts to exploit the target system.

If it fails to exploit the said system or if port 445 is not open, it generates another IP address to target. Otherwise, this worm initiates an FTP server on the affected system. The said system then opens a remote shell on port 7778 and creates an FTP script through the remote shell.

When the exploit code encounters an error on the target machine, it causes SERVICES.EXE, which holds most of the system services, to terminate. This in turn causes the target machine to shut down.

Note that this propagation routine works only on Windows NT and 2000, because the Microsoft Windows Plug and Play vulnerability has inherent characteristics that prevent this worm from exploiting it in Windows XP and Server 2003.

Backdoor Capabilities

This worm also has backdoor capabilities. Prior to launching its backdoor component, this worm checks for network connection by using the InternetGetConnectedState() API and by attempting to resolve the IP addresses of the following sites:

   * www.ebay.com
   * www.google.com
   * www.yahoo.com

It then opens random ports, including port 6667 (a normal IRC port), which enable it to connect to any of the following the IRC servers:

   * db23.hack-syndicate.org
   * db23a.hack-syndicate.org
   * spookystreet.m00p.org
   * spookystreet.udp-flood.com

Once a connection is established, this worm joins a specific IRC channel, where it listens for the following commands coming from a remote malicious user:

   * Connect to a particular IRC server
   * Download a file from the Internet
   * Download an updated copy of itself
   * Execute a Google search
   * Flood a target host
   * Perform basic IRC commands
   * Terminate processes
   * Uninstall a copy of itself
   * Visit a specific URL

However, it does not connect to the remote IRC servers if the IP addresses of the said servers fall under one of the following IP ranges:

   * 0.0.0.0 to 0.255.255.255
   * 10.0.0.0 to 10.255.255.255
   * 127.0.0.0 to 127.255.255.255
   * 169.254.0.0 to 169.254.255.255
   * 192.168.0.0 to 192.168.255.255

Information Theft

Part of this worm's backdoor capabilities is to retrieve system information, such as CPU speed and memory size. It does this by checking the following registry key:

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\
System\CentralProcessor\0

It also gathers the following data:

   * Currently logged user, or the name of the user where this worm is currently executing
   * Computer name
   * Operating system version and additional version information (e.g., Service Pack version)
   * Memory status

It also attempts to crack the passwords of the infected machine’s local user accounts by using the following password list:

   * 123
   * 12345
   * 123456
   * 12345678
   * 54321
   * 654321
   * 88888888
   * abc
   * abc123
   * account
   * admin
   * administrateur
   * administrator
   * amministratore
   * asd
   * asdf
   * asdfgh
   * austin
   * azer
   * azert
   * azerty
   * barbara
   * black
   * casa
   * charles
   * computer
   * criminal justice
   * david
   * desktop
   * dorothy
   * elizabeth
   * famiglia
   * family
   * god
   * green
   * guess
   * Haupt
   * hello
   * home
   * hot chilli
   * house
   * inhaber
   * James
   * Jennifer
   * john
   * Joseph
   * lavoro
   * letmein
   * light tanks
   * linda
   * living dead
   * London
   * maison
   * margaret
   * maria
   * mary
   * michael
   * near miss
   * old news
   * owner
   * paris
   * pass
   * passe
   * password
   * passwort
   * Patricia
   * peace force
   * pink
   * propri
   * proprietaire
   * proprietario
   * purple
   * qsd
   * qsdfgh
   * qwert
   * qwerty
   * qwertyui
   * qwertz
   * richard
   * Robert
   * school
   * secret
   * secure
   * susan
   * taire
   * test
   * testing
   * Thomas
   * universita
   * white
   * William
   * work

Administrators and users are advised to avoid using these passwords in their accounts.

Payload

This worm launches a thread designed to remove certain malware and spyware from the system. It does this by going through a cycle of process termination, file/folder deletion, and registry cleanup.

It terminates the following processes:

   * botzor.exe - related to WORM_ZOTOB.A
   * CMESys.exe - related to SPYW_GATOR variants
   * csm.exe - related to WORM_ZOTOB.B
   * CxtPls.exe - related to ADW_APROPOS variants
   * NHUpdater.exe - related to SPYW_NAVEXCEL variants
   * pnpsrv.exe - related tob BKDR_RBOT.BC
   * qttask.exe
   * realsched.exe
   * ViewMgr.exe
   * winpnp.exe - related to WORM_RBOT.CBD
   * %Program%\AutoUpdate\AutoUpdate.exe - related to ADW_ENVOLO.A
   * %Program%\CommonFiles\GMT\GMT.exe - related to SPYW_GATOR variants
   * %Program%\eZula\mmod.exe - related to ADW_EZULA variants

(Note: %Program% is the Program Files directory which is usually C:\Program Files.)

It also terminates processes that match the string EbatesMoeMoneyMaker*.exe, as well as all .EXE files run from the following subdirectories in the Program files folder:

   * 180Solutions - related to ADW_SOLU180 variants
   * Common Files\WinTools - related to SPYW_WEBSEARCH variants
   * HotBar - related to ADW_HOTBAR variants
   * MyWebSearch - related to ADW_WEBSEARCH variants
   * MyWay - related to ADW_MIWAY variants
   * Toolbar

It deletes the following files in the Windows system directory:

   * botzor.exe - related to WORM_ZOTOB.A
   * csm.exe - related to WORM_ZOTOB.B
   * pnpsrv.exe - related tob BKDR_RBOT.BC
   * winpnp.exe - related to WORM_RBOT.CBD

It also deletes the following subdirectories in the Program files folder:

   * 180Solutions - related to ADW_SOLU180 variants
   * AutoUpdate - related to ADW_APROPOS variants
   * Common Files\CMEII - related to SPYW_GATOR variants
   * Common Files\GMT - related to SPYW_GATOR variants
   * Common Files\WinTools - related to SPYW_WEBSEARCH variants
   * CxtPls - related to ADW_APROPOS variants
   * EbatesMoeMoneyMaker - related to ADW_TREBATES.B
   * eZula - related to ADW_EZULA variants
   * Hotbar - related to ADW_HOTBAR variants
   * MyWay - related to ADW_MIWAY variants
   * MyWebSearch - related to ADW_WEBSEARCH variants
   * NavExcel - related to SPYW_NAVEXCEL variants
   * Toolbar

It deletes registry entries when the values match any of the following:

   * 180 - related to ADW_SOLU180 variants
   * 180ax - related to ADW_SOLU180 variants
   * Apropos - related to ADW_APROPOS variants
   * AutoUpdater - related to related to ADW_APROPOS variants
   * CMESys - related to SPYW_GATOR variants
   * csm Win Updates - related to WORM_ZOTOB.B
   * Ebates
   * EbatesMoeMoneyMaker - related to ADW_TREBATES.B
   * eZmmod - related to ADW_EZULA variants
   * eZula - related to ADW_EZULA variants
   * Gator - related to ADW_GATOR variants
   * GatorDownloader - related to ADW_GATOR variants
   * Hotbar - related to ADW_HOTBAR variants
   * IBIS TB
   * msbb - related to ADW_NCASE variants
   * MyWay - related to ADW_MIWAY variants
   * MyWebSearch - related to ADW_WEBSEARCH variants
   * NavExcel - related to SPYW_NAVEXCEL variants
   * QuickTime
   * QuickTime Task
   * Real
   * saie
   * sais
   * TBPS
   * TkBellExe - related to WORM_LOVGATE variants
   * Toolbar
   * tov
   * Trickler - related to SPYW_GATOR variants
   * ViewMgr - related to SPYW_GATOR variants
   * Viewpoint
   * WINDOWS SYSTEM
   * WeatherOnTray - related to ADW_HOTBAR variants
   * WinTools - related to SPYW_WEBSEARCH variants
   * Windows PNP - related to WORM_RBOT.CBD
   * Windows PNP Server - related to BKDR_RBOT.BC
   * Zotob - related to WORM_ZOTOB variants

The said registry entries may be found in the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\RunServices

HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\RunServices

HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\RunOnce

Platform

This worm runs on Windows 95, 98, ME, 2000, XP, and Server 2003.

Trying to do some desktop support.  Microsoft's download site has been impossible to get through to.  I hope it is better tomorrow, I am getting behind.

no problems here on over 15,000 nodes spread out over several locations...

I know for a fact that a certain rocket manufacturer in north Alabama was practicaly shut down all day behind this worm virus thingy. The whole company nationwide felt the wrath of this virus.  They finally got the systems back up and running at about 14:30.