Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > August 2005 > Malicious Software Exploitation of MS05-039 Plug and Play Vulnerability

August 2005

Malicious Software Exploitation of MS05-039 Plug and Play Vulnerability

ID: 00684
Ref: 633/05
Date: 15 August 2005:16:35:40
Version: 1
Title: Malicious Software Exploitation of MS05-039 Plug and Play Vulnerability
Abstract:

Title
=====
Malicious Software Exploitation of MS05-039 Plug and Play Vulnerability


Detail
======

UNIRAS is aware that malicious software is exploiting a vulnerability announced by
Microsoft in a security bulletin on 9 August 2005. It is believed that in addition
to known new worms, botnets are exploiting the Plug and Play vulnerability detailed in
MS05-039.

The following web page extracts and links provide further information on W32/Zotob.A,
W32/Zotob.B and W32/Spybot (W32/Sdbot) variants. Readers may wish to check that their
Anti-Virus Software (AVS) is up to date and to read the website of their AVS provider
for further information.


W32/Zotob.A
- -----------

Microsoft Security Advisory (899588)

"Microsoft is actively analyzing and providing guidance on a malicious worm identified
as "Worm:Win32/Zotob.A", which is currently circulating on the Internet. The worm is a
malicious attack which exploits the Windows Plug and Play vulnerability addressed in
Microsoft Security Bulletin MS05-039 on August 9, 2005. Our initial investigation has
revealed that the worm remotely attacks Windows 2000-based systems. For more
information and to help determine if you have been infected by this worm, see the Zotob
Security Incident Web site or the Microsoft Virus Encyclopedia.

Other versions of Windows, including Windows XP Service Pack 2 and Windows Server 2003,
are not remotely impacted by "Worm:Win32/Zotob.A". However, there may be ways for these
operating system versions to become infected through local user interaction or through
other Malware that may already be installed on the system. Customers can protect against
this worm by installing the security updates provided by the Microsoft Security Bulletin
MS05-039 immediately."

http://www.microsoft.com/technet/security/advisory/899588.mspx

-----

Symantec Security Response - W32.Zotob.A

"W32.Zotob.A is a worm that spreads by exploiting the Microsoft Windows Plug and Play
Service Vulnerability , as described in Microsoft Security Bulletin MS05-039.

W32.Zotob.A can run on, but not infect, computers running Windows 95/98/Me/NT4. Although
computers running these operating systems cannot be infected, they can still be used to
infect vulnerable computers that thay can connect to.

Note: Definitions prior to Aug 14, 2005 may detect this worm as W32.IRCBot."

http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.a.html

-----

F-Secure Virus Descriptions - Zotob.A

"The worm scans for systems vulnerable to Microsoft Windows Plug and Play service (MS05-039)
through TCP/445.

It creates 300 threads that connect to random IP addresses within the B-class (255.255.0.0)
network of the infected system. First it tests connection to port 445 and if successful, it
tries to exploit the vulnerability. If the attack is successful a shell (cmd.exe) is started
on port 8888. Through the shell port, the worm sends a ftp script which instructs the remote
computer to download and execute the worm from the attacker computer using FTP. The FTP server
listens on port 33333 on all infected computers with the purpose of serving out the worm for
other hosts that are being infected. The downloaded file is saved as 'haha.exe' on disk."

http://www.f-secure.com/v-descs/zotob_a.shtml

-----

McAfee Inc - W32/Zotob.worm

"This worm creates 16 threads to scan for infectable systems. The worm targets random class B
IP addresses, sending SYN packets to TCP Port 445. When a vulnerable system is found, buffer
overflow and shellcode is sent to the remote system, creating an FTP script (2pac.txt is the
script file name) and launching FTP.EXE to download and execute the worm from the source system
(via TCP port 33333, haha.exe is fetched). "

http://vil.nai.com/vil/content/v_135433.htm

-----

Sophos virus analysis - W32/Zotob-A


"W32/Zotob-A is a worm and backdoor Trojan for the Windows platform.

W32/Zotob-A spreads to other network computers by exploiting common buffer overflow
vulnerabilites, including LSASS (MS04-011) and PnP (MS05-039).

W32/Zotob-A runs continuously in the background, providing a backdoor server which allows
a remote intruder to gain access and control over the computer."

http://www.sophos.com/virusinfo/analyses/w32zotoba.html




W32/Zotob.B
- -----------

As Zotob.B is a variant of Zotob.A, the functionality is similar.
The following URLs provide further information about this worm:

Symantec Security Response - W32.Zotob.B
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.b.html

F-Secure Virus Descriptions - Zotob.B
http://www.f-secure.com/v-descs/zotob_b.shtml

McAfee Inc - W32/Zotob.worm.b
http://vil.nai.com/vil/content/v_135435.htm

Sophos virus analysis - W32/Zotob-B
http://www.sophos.com/virusinfo/analyses/w32zotobb.html




W32.Spybot (Sdbot) Variants
- ---------------------------

McAfee Inc. - W32/Sdbot.worm!MS05-039

"In typical Sdbot evolutionary fashion, MS05-039 exploit code has been added to the Sdbot
virus family. The same activity happened around DcomRPC, LSASS, and a host of other common
vulnerabilities. This description covers the initial MS05-039 flavored Sdbot. At least one
other MS05-039 exploiting Sdbot variant is known to exist, and at least 3 other SVKP repacks
are also known.

...

"They may be seen with the file names pnpsrv.exe or winpnp.exe. It contains the same MS05-039
exploit code that is present in W32/Zotob.worm , and is believed to have been written by the same
author. The exploit propagation code works in the same fashion, by instructing remote systems
to FTP the virus from the infected host to download and execute it locally"

http://vil.nai.com/vil/content/v_135434.htm

-----

Symantec Security Response - W32.Spybot.UBH

"W32.Spybot.UBH is a worm that has distributed denial of service and back door capabilities.
The worm spreads by using the vulnerability in Microsoft Windows Plug and Play Service (as
described in Microsoft Security Bulletin MS05-039)."

http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.ubh.html


- --------------



  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |