AlphaOne Technology Support Forums
Welcome, Guest. Please login or register.
December 03, 2008, 05:24:53 PM

Login with username, password and session length
Search:     Advanced search
1733 Posts in 827 Topics by 4766 Members
Latest Member: beverlys
* Home Help Search Login Register
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: W32.Esbot.D 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: W32.Esbot.D  (Read 945 times)
TJ
Tech Team
Hero Member
********
Offline Offline

Posts: 136



View Profile
W32.Esbot.D
« on: September 20, 2005, 03:38:10 PM »
W32.Esbot.D is a worm that exploits the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039) and opens a back door that allows a remote attacker access to the compromised computer.

When W32.Esbot.D is executed, it performs the following actions:

   1. Creates the following mutex so that only one instance of the worm runs at one time:

      wupnp

   2. Copies itself as %System%\wupnp.exe.

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   3. Runs itself as the following service:

      Service Name: wupnp
      Display Name: Windows UPnP Service
      Description: Manages universal plugn-and-play services over network interfaces
      Path to Executable: %System%\wupnp.exe

   4. May also inject itself into explorer.exe.

   5. May modify the value:

      "EnableDCOM" = "N"

      in the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole

      to disable DCOM.

   6. May modify the value:

      "restrict anonymous" = "1"

      in the registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

      to restrict anonymous access to network shares.

   7. Connects to the following IRC servers using certain TCP ports:

          * c.nullroute.biz using TCP port 9000
          * c.devnull.biz using TCP port 9059

   8. Listens for IRC commands that allow the attacker to perform the following actions:

          * Download and execute files
          * List, end, and start processes and threads
          * Launch Denial of Service attacks
          * Find files on local hard disks
          * Scan for remotely exploitable computers

   9. The worm attempts to exploit the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039). If successful, the worm will send shell code to the remote computer.


REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.d.html

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\Software\Microsoft\OLE

   5. In the right pane, reset the following value to its original setting (if applicable):

      "EnableDCOM"

   6. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

   7. In the right pane, reset the following value to its original setting (if applicable):

      "restrictanonymous"

   8. Exit the Registry Editor.
Logged
Pages: [1] Go Up Print 
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: W32.Esbot.D « previous next »
Jump to:  

Powered by MySQL Powered by PHP AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!