Hoog risico viruswaarschuwing McAfee AVERT - IRCbot.worm!MS05-039

The IRCbot.worm!MS05-039 worm appears seven days from the initial announcement of the Microsoft vulnerability, demonstrating the fastest time between THE announcement of a vulnerability and THE SUCCESS OF A mass propagating exploit—even faster than Sasser, which took 14 days.

The vulnerability, which was announced by Microsoft on August 9, 2005, has also been targeted by virus writers that produced multiple variants of the ever expanding SDBot family, as well as a new family now known as Zotob. The IRCbot.worm!MS05-039 worm was the firsts of these threats to successfully mass propagate.  To date, McAfee AVERT has received more than 150 reports of the worm being stopped or infecting users from the field.  Most of these reports have arrived from the United States, though AVERT has also received reports from ASIA AND EUROPE.                               

Threat Overview
IRCbot.worm!MS05-039 is designed to contact a remote IRC server and wait for further instructions. If this worm is run on a system which has not yet been patched for the MS05-039 vulnerability, it will continually reboot.  Infected systems will be listening on TCP port 8594.

Threat Pathology
When the file is run the virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as WINTBP.EXE.  The file can be run automatically by exploiting the MS05-039 vulnerability or by a person directly executing the worm.

Registry keys are created to load the worm at startup:

  a.. LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "wintbp.exe" = wintbp.exe
 

System Protection and Cure
More information on IRCbot.worm!MS05-039 and its cure can be found online at the McAfee AVERT site located HERE. McAfee AVERT has included detection in the BETA DAT files and the next scheduled DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used. The EXTRA.DAT packages are available, prior to the full DAT release to stay protected from this threat.

Information on McAfee technologies that provide complete system and network protection can be found online at the company's Web site located at www.mcafee.com.

All McAfee products are backed by the company's top-ranked anti-virus and vulnerability research organization, McAfee AVERT, whose global researchers combine research expertise from McAfee IntruShield, McAfee Entercept and McAfee Foundstone® organizations to protect customers on a 24x7 basis. McAfee AVERT protects customers by providing analysis and core technologies that are developed through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection with repair, and ActiveDAT technology to deliver those technologies for previously undiscovered viruses.

-------------

About McAfee, Inc.
McAfee, Inc., headquartered in Santa Clara, Calif., a worldwide leader in Intrusion Prevention and Risk Management solutions, delivers proven security products and services to help customers effectively balance the competing priorities between business needs and security requirements. McAfee applies profound security expertise toward helping companies, government agencies and consumers block attacks, prevent disruptions, and continuously track and improve the security of their systems and networks. For more information, McAfee, Inc. can be reached at 972-963-8000 or www.mcafee.com.

 NOTE:  McAfee AVERT is a registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries.  The color red in connection with security is distinctive of McAfee brand products.  All other registered and unregistered trademarks herein are the sole property of their respective owners. © 2005 McAfee, Inc.  All Rights Reserved.