W32.Esbot.B

W32.Esbot.B is a worm that spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability

When W32.Esbot.B is executed, it performs the following actions:

1. Creates the mutex "wpa", so that only one copy of the worm runs on the compromised computer:

2. Copies itself as %System%\wpa.exe.

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

3. Runs itself as a service:

Service Name: wpa
Display Name: Windows Product Activation
Path to executable: %System%\wpa.exe

4. Injects itself to explorer.exe.

5. Modifies the value:

"EnableDCOM" = "N"

in the registry subkey:

HKEY_LOCAL_MACHINE\Software\Microsoft\Ole

to disable DCOM.

6. Adds the value:

"restrictanonymous" = "1"

to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

to restrict anonymous access to network shares.

7. Creates the following read only file:

%Windir%\debug\dcpromo.log

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

8. Connects to an IRC server on the ypgw.wallloan.com domain on TCP port 18067 to listen for IRC commands.

9. IRC commands allow the attacker to perform the following actions:

* Download and execute files
* List, stop, and start processes and threads
* Launch Denial of Service (DoS) attacks
* Find files on local hard disks
* Scans for computers and attempts to exploit the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039). If successful, the worm sends shell code to the remote machine.