Microsoft Security Bulletin MS06-040

[Detector]

Source: http://www.microsoft.com/technet/sec.../MS06-040.mspx

This patch DOES apply to all Windows 2000 and XP not just servers. All Windows run the server services that must be patched. I thought it was important to get this out because it has been upgraded to a level 1 threat. Code to exploit this vulnerability has already hit the Internet and a new worm is inevitable and expected by Monday.

PATCH AS SOON AS POSSIBLE
Vulnerability in Server Service Could Allow Remote Code Execution (921883)

Published: August 8, 2006

Version: 1.0
<SCRIPT language=javascript>sID='l1-ELB'</SCRIPT>Summary

Who Should Read this Document: Customers who use Microsoft Windows

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately

Security Update Replacement: None

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:
<TABLE cellSpacing=0 cellPadding=0 border=0><TBODY><TR><TD class=listBullet vAlign=top>•</TD><TD class=listItem>Microsoft Windows 2000 Service Pack 4 — Download the update
</TD></TR><TR><TD class=listBullet vAlign=top>•</TD><TD class=listItem>Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 — Download the update
</TD></TR><TR><TD class=listBullet vAlign=top>•</TD><TD class=listItem>Microsoft Windows XP Professional x64 Edition — Download the update
</TD></TR><TR><TD class=listBullet vAlign=top>•</TD><TD class=listItem>Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 — Download the update
</TD></TR><TR><TD class=listBullet vAlign=top>•</TD><TD class=listItem>Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems — Download the update
</TD></TR><TR><TD class=listBullet vAlign=top>•</TD><TD class=listItem>Microsoft Windows Server 2003 x64 Edition — Download the update
</TD></TR></TBODY></TABLE>The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.
Note The security updates for Microsoft Windows Server 2003, Windows Server 2003 Service Pack 1, and Windows Server 2003 x64 Edition also apply to Windows Server 2003 R2.

[Detector]

Officially in the wild. No name as of yet but it looks to be building a Botnet. Heres what is known.

Filename: wgareg.exe, MD5: 9928a1e6601cf00d0b7826d13fb556f0 (this is the bot)

Incoming traffic on 445/TCP but there is a lot of background noise on that port.

Outgoing traffic to bniu.househot.com:18067 (Command and Control center, multiple IPs, IRC)

Outgoing traffic to port 445/TCP (scanning for victims and exploiting them)

[Tee]

Hey.... I am just posting this to see if anybody else has this problem. Mine may have been an isolated and unrelated issue.

After installing the above update, prior to rebooting, my system had a system fault in module mspool.exe.

After rebooting, Norton reported that mspool.exe was infected with hacktool virus.

Not sure if the update had anything to do with it but sure seemed like it. My computer performs nightly scans and nothing had been previously detected until after the update was installed.

Is it possible that this Microsoft Update has been infected with a virus?

[Highwayman]

I didn’t have any problems and I also run Norton. System was scanned after installing update and nothing was detected.

[TexKan]

Our workplace just had us download all the updates - hell I got 37 of em - see this is why I just don't mess with all that stuff - if the puter works leave it alone!! When it's broke - go get it fixed. All this is so far over my head anyhow........ by the time the worm gets anywhere close itll be buterflyin!!

[Detector]

MSSPOOL? I know it(Hacktool) replaces CMD's to obtain administrative privileges.

Hacktool.Privshell replaces a known system service with itself.

The common usage would be to replace the Spoolsv.exe file in the System directory with the hacktool program.

Once the hacktool has replaced the known system service, it will create a cmdshell with Administrative privileges.

Another possible cause could be during the update MSSPOOL was damaged and then detected as a virus. Often when an antvirus detects a unidentified file(possible virus) it searches it's database and finds the closes matching virus.

Could well be you already had been hit by the server services code. They said as early as Wednesday the code was posted to the Internet and a worm could already be circulating. It replaced your msspool.exe(a server service) and caused the error, then your antivirus picked it up. Unfortunately, Norton is one of the antivirus programs that did not detect this new code.

Here is the results


Scan results
File: wgareg.exe
Date: 08/13/2006 03:03:43 (CET)
----
AntiVir 6.35.1.0/20060812 found [HEUR/Crypted.Layered]
Authentium 4.93.8/20060812 found [Possibly a new variant of W32/Threat-HLLIM-based!Maximus]
Avast 4.7.844.0/20060810 found nothing
AVG 386/20060811 found nothing
BitDefender 7.2/20060813 found [Generic.Malware.IXdld.658BDD6B]
CAT-QuickHeal 8.00/20060812 found [(Suspicious) - DNAScan]
ClamAV devel-20060426/20060813 found nothing
DrWeb 4.33/20060812 found nothing
eTrust-InoculateIT 23.72.94/20060812 found nothing
eTrust-Vet 30.3.3012/20060811 found nothing
Ewido 4.0/20060812 found nothing
Fortinet 2.77.0.0/20060812 found nothing
F-Prot 3.16f/20060811 found [Possibly a new variant of W32/Threat-HLLIM-based!Maximus]
F-Prot4 4.2.1.29/20060811 found [W32/Threat-HLLIM-based!Maximus]
Ikarus 0.2.65.0/20060811 found nothing
Kaspersky 4.0.2.24/20060813 found nothing
McAfee 4827/20060811 found nothing
Microsoft 1.1508/20060804 found nothing
NOD32v2 1.1704/20060811 found [a variant of Win32/IRCBot.OO]
Norman 5.90.23/20060811 found [W32/Suspicious_M.gen]
Panda 9.0.0.4/20060812 found [Suspicious file]
Sophos 4.08.0/20060812 found nothing
Symantec 8.0/20060813 found nothing
TheHacker 5.9.8.190/20060810 found nothing
UNA 1.83/20060811 found nothing
VBA32 3.11.0/20060811 found nothing
VirusBuster 4.3.7:9/20060812 found nothing

From Andreas analysis:
[1] The exploit might also have entered using some java "hole", since I found a trace in ..\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\ext\ with a handful of highly suspicious .jar and .zip files.
<?XML:NAMESPACE PREFIX = O /><O:P _moz-userdefined=""></O:P>
<O:P _moz-userdefined=""></O:P>[2] C:\WINNT\NT contained a file named NRCS.EXE, 25,185 bytes in length.<O:P _moz-userdefined=""></O:P>

[3] C:\WINNT\Debug contained a file named dcpromo.log.

[4] Found malicious registry keys in:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_WGAREG
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_WGAVM

YOU CANNOT EVEN DELETE THOSE IN SAFE MODE!


You can try my Intrusion Detection program to see if ports 135-139 & 445 are being active.

http://www.detectorsplace.com/files/itools.zip

[Lone Gunman]

I downloaded it and then scanned and found no virus.

[Detector]

Well the MS06-040 flaw is officially being exploited. So far the BOT has been named Graweg(Microsoft), Wargbot(Symantec) and Mocbot(LURHQ) as well as an yet unnamed second variant(released Sunday).

The Internet Storm Center, a site that tracks port scanning attempts, reported a large increase in scans for the flaw.

Both variants appear to spread via AIM(America Online Instant Messaging). The BOT compromises PC's and waits commands from a network of computers, so far based out of China.

One version of the bot program runs on a compromised system as wgareg.exe and creates a service to run at startup called the Windows Genuine Advantage Registration Service, while the other variant runs as wgavm.exe naming itself the Windows Genuine Advantage Validation Monitor.

Aliases

• Backdoor.Win32.IRCBot.st (Kaspersky)

• Backdoor:Win32/Graweg.A (Microsoft)

• Backdoor:Win32/Graweg.B (Microsoft)

• CME-482

• W32.Wargbot (Symantec)

• W32/Cuebot-L (Sophos)

• W32/Cuebot-M (Sophos)

• WORM_IRCBOT.JK (TrendMicro)

• WORM_IRCBOT.JL (TrendMicro)

<!---->Characteristics

This is a detection for a variant of IRC-Mocbot that exploits the Microsoft Windows Server Service Buffer Overflow MS06-040 against Windows 2000 machines.
This worm installs itself in the WINDOWS SYSTEM directory (typically c:\windows\system32) as wgareg.exe (MD5: 9928a1e6601cf00d0b7826d13fb556f0) or wgavm.exe (MD5: 2bf2a4f0bdac42f4d6f8a062a7206797). It creates a service(s) with the following properties:

• Name: wgareg
• Display name: Windows Genuine Advantage Registration Service
• Description: Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.
• Name: wgavm
• Display name: Windows Genuine Advantage Validation Monitor
• Description: Ensures that your copy of Microsoft Windows is genuine. Stopping or disabling this service will result in system instability..

(The "Windows Genuine Advantage"programs installed by Microsoft via Windows Update does not typically contain a wgareg.exe or wgavm.exe file in the WINDOWS SYSTEM directory)
As in the older variants, this bot first attempts to connect to the following IRC servers on TCP 18067:

• bbjj.househot.com
• ypgw.wallloan.com

The bot connects to a specified channel and awaits commands, including:

• DDoS
• Scan (for vulnerable systems)
• Download / execute remote files

Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds), looking for systems vulnerable to the MS06-040 vulnerability. When a vulnerable system is discovered, the infected host causes a buffer overflow to occur on the remote system, instructing it to download Mocbot, save it to the WINDOWS SYSTEM directory as a file named .exe and then execute it. Unlike many exploiting bots, Mocbot doesn't use FTP or TFTP to achieve the downloading, but rather contains its own downloader code. The remote system downloads the worm via a random TCP port..


<!---->Symptoms

• Heavy netbois and microsoft-ds network traffic
• Presense of the file wgareg.exe or wgavm.exe in the WINDOWS SYSTEM directory
• TCP 18067 connections to bniu.househot.com, bbjj.househot.com or ypgw.wallloan.com

The following registry key(s) may be added or modified to disable the Windows Security Center firewall and anti-virus monitors:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDC OM = "n"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\antivirusdisablenotify = 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\antivirusoverride = 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\firewalldisablenotify = 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\firewalldisableoverride = 0x00000001
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Ls a\restrictanonymous = 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\win dowsfirewall\standardprofile\enablefirewall = 0x00000000
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\win dowsfirewall\domainprofile\enablefirewall = 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\S haredAccess\Start = 0x00000004

<!---->Method of Infection

This worm spreads by exploitin the MS06-040 vulnerability.
<!---->Removal

<!-- This is a template, copy and paste the text below into a new removal instruction and customize it -->All McAfee Users:
Please update to 4828 (08/13/2006) or later DAT release package
Intrushield protects against this threat with sigset(s) 3.1.19, 2.1.46, 1.9.63, 1.8.80 released on?/8/2006.
Buffer Overflow Protection in VirusScan Enterprise 8.0 and VirusScan Consumer 11 does NOT protect against this threat.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher). Additional Windows ME/XP removal considerations
This threat modifies a number of system configurations that includes disabling the default Windows Firewall on the infected machine. These changes should be manually configured.


BOT: software that infects computers by exploiting vulnerabilities or by using social engineering to convince the user to execute the program and then surreptitiously allows the attacker to control the computer or capture sensitive data from the system.