NEWS FROM THE LAB - Monday, August 15, 2005

More malware exploiting the PnP vulnerability Posted by Mikko @ 20:50 GMT

Screenshot from the raw Ircbot.es code after unpacking
We were contacted some hours ago by an organization that had several hundred Windows computers in their internal network infected by a new variant of Ircbot. While analysing the malware, we noticed that this Ircbot variant had something new up it's sleeve: instead of the usual replication methods of guessing share passwords or probing for RPC/LSASS vulnerabilities, this bot was using the brand new MS05-039 Plug-and-Play vulnerability - just like the Zotob worm.

The organization in case had lots of Windows 2000 machines behind their master firewall. Once one machine got infected, the bot could easily find lots of machines to infect in the internal network.

Once again, patch now.

We named the new critter Backdoor.Win32.IRCBot.es. Full details can be found from the description.

PS. One more Zotob variant (Zotob.C) has been found too. This one spreads over both PnP and ASN.1 vulnerabilities as well as via email.