Name : W32/IRCbot.worm!MS05-039
Type: Virus
SubType: Internet Relay Chat
When the file is run the virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as WINTBP.EXE. The file can be run automatically by exploiting the MS05-039 vulnerability or by a person directly executing the worm.
Registry keys are created to load the worm at startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsCurrentVersion\Run "wintbp.exe" = wintbp.exe
Indications of Infection
If this worm is run on a system which has not yet been patched for the MS05-039 vulnerability, it will continually reboot.
Method of Infection
This threat scans for MS05-039 exploitable systems. When a vulnerable system is found, it uses a buffer overflow to write the worm file to that machine via a TFTP upload on port 8594. Blocking this port via McAfee Desktop Firewall or McAfee Personal Firewall will prevent infection even if the buffer overflow is not prevented.
Wednesday, August 17, 2005
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment