Virus Profile: W32/IRCbot.worm!MS05-039

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low-Profiled | Corporate Low-Profiled
Date Discovered: 8/16/2005
Date Added: 8/16/2005
Origin: Unknown
Length: 10366 bytes
Type: Virus
Subtype: Internet Relay Chat
DAT Required: 4560
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

If this worm is run on a system which has not yet been patched for the MS05-039 vulnerability, it may reboot. 

Methods of Infection

This threat scans for MS05-039 exploitable systems.  When a vulnerable system is found, it uses a buffer overflow to write the worm file to that machine via a TFTP upload on port 8594.  Blocking this port via McAfee Desktop Firewall or McAfee Personal Firewall will prevent infection even if the buffer overflow is not prevented.

Aliases

CME-540, W32.Zotob.E (Symantec), W32/Tpbot-A (Sophos), WORM_RBOT.CBQ (Trend)
   

Virus Characteristics

-- Update August 19, 2005 --
 Due to a decrease in prevalence W32/IRCbot.worm!MS05-039 is being lowered to Low-Profiled risk.
--

-- Update August 17, 2005 --
 Due to a decrease in reports of new infections, W32/IRCbot.worm!MS05-039 is being lowered to Medium risk.
--

This detection is for an Internet Relay Chat (IRC) bot worm which includes the ability to spread by exploiting systems which are not yet patched for the MS05-039 vulnerability

This worm is designed to contact a remote IRC server and wait for further instructions.

If you think that you may be infected with W32/IRCbot.worm!MS05-039, and are unsure how to check your system, you may download the Stinger tool to scan your system and remove the virus if present.  This is not required for McAfee users as McAfee products are capable of detecting and removing the virus with the latest update. (see the removal instructions below for more information).

Installation

When the file is run the virus copies itself to the Windows System directory (e.g. C:\Windows\System32\ on Windows XP) as WINTBP.EXE.  The file can be run automatically by exploiting the MS05-039 vulnerability or by a person directly executing the worm.

Registry keys are created to load the worm at startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run "wintbp.exe" = wintbp.exe
   

AVERT DATS
Use specified engine and DAT files (or later) for detection and removal. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.

McAfee Intrushield
Sigsets released on Aug 9th, 2005 will detect this as:

DCERPC: Microsoft Plug and Play Service Buffer Overflow (0x47602000)

Stinger
 Stinger has been updated to help detect and repair this threat.

McAfee Managed VirusScan
Buffer Overflow Protection blocks the worm from exploiting vulnerable systems.

McAfee Entercept
 McAfee Entercept prevents the vulnerable system from being exploited with Level 1 protection enabled.

McAfee VirusScan Enterprise 8.0i
 Buffer Overflow Protection blocks the worm from exploiting vulnerable systems.  Additionally, systems running VirusScan Enterprise with the "Prevent creation of new files in the System32 folder (.exe)" access protection rule set to "Block access" will be protected from infection, though the buffer overflow may still occur on unpatched systems.

Note: this rule if set to all processes will also block legitimate updates to files in the Windows directory, such as when applying security patches, so will need to be disabled while such legitimate activity is occurring.



The User-defined Detection feature of the Unwanted Programs Policy can also be used to prevent replication of the worm, by adding a detection for wintbp.exe as shown below