Pages: [1] 
|
 |
|
 Author
|
Topic: ALERT - The Zotob.A worm exploiting the MS05-039 flaw (Read 847 times)
|
|
TJ
|
Description
Alias : W32/Zotob.A
Type : Worm
Taille : 22,528 bytes
Technical details
Zotob.A is a worm that exploits the recent Plug-and-Play vulnerability (MS05-039) using TCP port 445. The worm targets only Windows 2000 machines.
This worm attempts to download the "haha.exe" file to %SYSTEM%\"botzor.exe" and then execute it. When Zotob.A runs, it does the following :
- Adds the value : "WINDOWS SYSTEM" = "botzor.exe" to the registry so that the worm runs when Windows starts.
- Opens a shell on port 8888
- Installs an FTP server on port 33333
- Connects to a predefined IRC channel
- Connects to the generated IP address on TCP port 445 to determine if a remote computer is vulnerable
- When a vulnerable system is found, the worm sends a copy of itself to this machine via the FTP server
Recommendations
We recommend that you apply the appropriate patches, filter access to TCP ports 139/445, and block ports 8888 and 33333 at the firewall level.
|
|
|
|
|
Logged
|
|
|
|
|
Pages: [1] 
|
|
|
 |
AlphaOne Technology Support Forums
