NEWS FROM THE LAB - Sunday, August 13, 2006

IRC bot exploits the 5-day old MS-06040 vulnerability Posted by Mikko @ 08:23 GMT

Hopefully everybody followed the advice we gave five days ago. We've just located the first bot exploiting one the remote code execution vulnerabilities patched in last Tuesday's patch set by Microsoft.

The bot, known as Mocbot aka Backdoor.Win32.IRCBot.st is apparently only able to spread to Windows 2000 and perhaps to Windows XP SP1 computers.

Our update 2006-08-13_01 detects this bot.

The bot connects to IRC servers at:


Network admins might want to monitor connection attempts to those hosts from within their network.

More info on the MS06-040 vulnerability.