NEWS FROM THE LAB - Sunday, October 23, 2005

First MS05-047 malware found Posted by Mikko @ 10:25 GMT

We're currently looking at a botnet client known as "Mocbot".

This botnet client has been spread using the MS05-047 vulnerability. This is the first case of using this vulnerability in malware we've seen.

Symptom of an infection is the existance of a file called wudpcom.exe in the SYSTEM directory. The botnet client tries to connect to two IRC servers in Russia, but the servers seem to be down (or overloaded).

Info on this PnP vulnerability (not to be confused with the MS05-039 vulnerability used by Zotob) is available from the Microsoft web site.

Patch against this vulnerability was published in the last monthly update set from Microsoft. Patch now.

The vulnerability can be exploited via 139/TCP and 445/TCP.

Lab at work

Updated to add:

After further analysis, it turned out the actual vulnerability is not MS05-047 but the old MS05-039 (also used by the Zotob). The confusion was caused by the exploit code used by Mocbot, which resembles a publicly available exploit code for MS05-047. See the updated description of Mocbot.

Also, we received reports that the bot channel may instruct all joining bots to start automatically scanning for vulnerable computers, thus acting as automatic worms.