[Detector]

Well the MS06-040 flaw is officially being exploited. So far the BOT has been named Graweg(Microsoft), Wargbot(Symantec) and Mocbot(LURHQ) as well as an yet unnamed second variant(released Sunday).

The Internet Storm Center, a site that tracks port scanning attempts, reported a large increase in scans for the flaw.

Both variants appear to spread via AIM(America Online Instant Messaging). The BOT compromises PC's and waits commands from a network of computers, so far based out of China.

One version of the bot program runs on a compromised system as wgareg.exe and creates a service to run at startup called the Windows Genuine Advantage Registration Service, while the other variant runs as wgavm.exe naming itself the Windows Genuine Advantage Validation Monitor.

Aliases

• Backdoor.Win32.IRCBot.st (Kaspersky)

• Backdoor:Win32/Graweg.A (Microsoft)

• Backdoor:Win32/Graweg.B (Microsoft)

• CME-482

• W32.Wargbot (Symantec)

• W32/Cuebot-L (Sophos)

• W32/Cuebot-M (Sophos)

• WORM_IRCBOT.JK (TrendMicro)

• WORM_IRCBOT.JL (TrendMicro)

<!---->Characteristics

This is a detection for a variant of IRC-Mocbot that exploits the Microsoft Windows Server Service Buffer Overflow MS06-040 against Windows 2000 machines.
This worm installs itself in the WINDOWS SYSTEM directory (typically c:\windows\system32) as wgareg.exe (MD5: 9928a1e6601cf00d0b7826d13fb556f0) or wgavm.exe (MD5: 2bf2a4f0bdac42f4d6f8a062a7206797). It creates a service(s) with the following properties:

• Name: wgareg
• Display name: Windows Genuine Advantage Registration Service
• Description: Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.
• Name: wgavm
• Display name: Windows Genuine Advantage Validation Monitor
• Description: Ensures that your copy of Microsoft Windows is genuine. Stopping or disabling this service will result in system instability..

(The "Windows Genuine Advantage"programs installed by Microsoft via Windows Update does not typically contain a wgareg.exe or wgavm.exe file in the WINDOWS SYSTEM directory)
As in the older variants, this bot first attempts to connect to the following IRC servers on TCP 18067:

• bbjj.househot.com
• ypgw.wallloan.com

The bot connects to a specified channel and awaits commands, including:

• DDoS
• Scan (for vulnerable systems)
• Download / execute remote files

Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds), looking for systems vulnerable to the MS06-040 vulnerability. When a vulnerable system is discovered, the infected host causes a buffer overflow to occur on the remote system, instructing it to download Mocbot, save it to the WINDOWS SYSTEM directory as a file named .exe and then execute it. Unlike many exploiting bots, Mocbot doesn't use FTP or TFTP to achieve the downloading, but rather contains its own downloader code. The remote system downloads the worm via a random TCP port..


<!---->Symptoms

• Heavy netbois and microsoft-ds network traffic
• Presense of the file wgareg.exe or wgavm.exe in the WINDOWS SYSTEM directory
• TCP 18067 connections to bniu.househot.com, bbjj.househot.com or ypgw.wallloan.com

The following registry key(s) may be added or modified to disable the Windows Security Center firewall and anti-virus monitors:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDC OM = "n"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\antivirusdisablenotify = 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\antivirusoverride = 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\firewalldisablenotify = 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\firewalldisableoverride = 0x00000001
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Ls a\restrictanonymous = 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\win dowsfirewall\standardprofile\enablefirewall = 0x00000000
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\win dowsfirewall\domainprofile\enablefirewall = 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\S haredAccess\Start = 0x00000004

<!---->Method of Infection

This worm spreads by exploitin the MS06-040 vulnerability.
<!---->Removal

<!-- This is a template, copy and paste the text below into a new removal instruction and customize it -->All McAfee Users:
Please update to 4828 (08/13/2006) or later DAT release package
Intrushield protects against this threat with sigset(s) 3.1.19, 2.1.46, 1.9.63, 1.8.80 released on?/8/2006.
Buffer Overflow Protection in VirusScan Enterprise 8.0 and VirusScan Consumer 11 does NOT protect against this threat.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). Additional Windows ME/XP removal considerations
This threat modifies a number of system configurations that includes disabling the default Windows Firewall on the infected machine. These changes should be manually configured.


BOT: software that infects computers by exploiting vulnerabilities or by using social engineering to convince the user to execute the program and then surreptitiously allows the attacker to control the computer or capture sensitive data from the system.