Virus Profile: IRC-Mocbot!MS06-040

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/12/2006
Date Added: 8/12/2006
Origin: N/A
Length: Varies
Type: Virus
Subtype: Internet Worm
DAT Required: 4828
Removal Instructions
   
 
 
   

Description

This is a detection for variants of IRC-Mocbot that exploits the Microsoft Windows Server Service Buffer Overflow MS06-040 against Windows 2000 machines.

This worm installs itself in the WINDOWS SYSTEM directory (typically c:\windows\system32) as wgareg.exe (MD5: 9928a1e6601cf00d0b7826d13fb556f0)  or wgavm.exe (MD5: 2bf2a4f0bdac42f4d6f8a062a7206797). It creates a service(s) with the following properties:

  • Name: wgareg
  • Display name: Windows Genuine Advantage Registration Service
  • Description: Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.
  • Name: wgavm
  • Display name: Windows Genuine Advantage Validation Monitor
  • Description: Ensures that your copy of Microsoft Windows is genuine. Stopping or disabling this service will result in system instability..

(The "Windows Genuine Advantage"programs installed by Microsoft via Windows Update does not typically contain a wgareg.exe or wgavm.exe file in the WINDOWS SYSTEM directory)

 

Indication of Infection

  • Heavy netbios and microsoft-ds network traffic
  • Presense of the file wgareg.exe or wgavm.exe in the WINDOWS SYSTEM directory
  • TCP 18067 connections to bniu.househot.com, bbjj.househot.com or ypgw.wallloan.com

The following registry key(s) may be added or modified to disable the Windows Security Center firewall and anti-virus monitors:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM = "n"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\antivirusdisablenotify = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\antivirusoverride = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\firewalldisablenotify = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center\firewalldisableoverride = 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous = 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall = 0x00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall = 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Start = 0x00000004

 

Methods of Infection

This worm spreads by exploitin the MS06-040 vulnerability.

Aliases

Backdoor.Win32.IRCBot.st (Kaspersky), Backdoor:Win32/Graweg.A (Microsoft), Backdoor:Win32/Graweg.B (Microsoft), CME-482, CME-762, W32.Wargbot (Symantec), W32/Cuebot-L (Sophos), W32/Cuebot-M (Sophos), WORM_IRCBOT.JK (TrendMicro), WORM_IRCBOT.JL (TrendMicro)
   

Virus Characteristics

This is a detection for a variant of IRC-Mocbot that exploits the Microsoft Windows Server Service Buffer Overflow MS06-040 against Windows 2000 machines.

This worm installs itself in the WINDOWS SYSTEM directory (typically c:\windows\system32) as wgareg.exe (MD5: 9928a1e6601cf00d0b7826d13fb556f0)  or wgavm.exe (MD5: 2bf2a4f0bdac42f4d6f8a062a7206797). It creates a service(s) with the following properties:

  • Name: wgareg
  • Display name: Windows Genuine Advantage Registration Service
  • Description: Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.
  • Name: wgavm
  • Display name: Windows Genuine Advantage Validation Monitor
  • Description: Ensures that your copy of Microsoft Windows is genuine. Stopping or disabling this service will result in system instability..

(The "Windows Genuine Advantage"programs installed by Microsoft via Windows Update does not typically contain a wgareg.exe or wgavm.exe file in the WINDOWS SYSTEM directory)

As in the older variants, this bot first attempts to connect to the following IRC servers on TCP 18067:

  • bbjj.househot.com
  • ypgw.wallloan.com

The bot connects to a specified channel and awaits commands, including:

  • DDoS
  • Scan (for vulnerable systems)
  • Download / execute remote files

Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds), looking for systems vulnerable to the MS06-040 vulnerability.  When a vulnerable system is discovered, the infected host causes a buffer overflow to occur on the remote system, instructing it to download Mocbot, save it to the WINDOWS SYSTEM directory as a file named .exe and then execute it.  Unlike many exploiting bots, Mocbot doesn't use FTP or TFTP to achieve the downloading, but rather contains its own downloader code.  The remote system downloads the worm via a random TCP port..

   

All Users:
Please update to 4828 (08/13/2006) or later DAT release package

Intrushield protects against this threat with sigset(s) 3.1.19, 2.1.46, 1.9.63, 1.8.80 released on?/8/2006.

Buffer Overflow Protection in VirusScan Enterprise 8.0 and VirusScan Consumer 11 does NOT protect against this threat.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

This threat modifies a number of system configurations that includes disabling the default Windows Firewall on the infected machine. These changes should be manually configured.