Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: MS05-039 Scanner
From: <Steve.Cummings () barclayscapital com>
Date: Tue, 16 Aug 2005 08:51:08 +0100

Attack vectors are over TCP ports 139 and 445.
Opens up a FTP server on TCP port 33333 to propagate the worm to other
systems.
Attempts to contact an IRC server at wait.atillaekici.net - 84.244.1.11
to distribute compromised system information.
Generates random IP addresses to attempt compromise using the MS05-039
vulnerability.
Affects Windows 2000 and XP with NT4 a possibility but is unconfirmed.
Once a system is compromised, it then downloads the backdoor payload
from the infecting system's FTP server (on TCP port 33333).
Creates a mutex called "B-O-T-Z-O-R" (minus the speech marks).
Creates a file called %system%\botzor.exe for Zotob.A or
%system%\csm.exe for Zotob.B.
The worm creates the following registry entries so that it runs every
time Windows starts.

Zotob.A:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WINDOW
S SYSTEM" = "botzor.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
\"WINDOWS SYSTEM" = "botzor.exe"

Zotob.B:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"csm
Win Updates" = "csm.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
\"csm Win Updates" = "csm.exe"

The worm also modifies the following registry key to change the Startup
type of Windows Firewall/Internet Connection Sharing (ICS) to
"Disabled":
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\"Start
" =  "0x00000004".
Modifies the hosts file (%system%\drivers\etc\hosts) to blackhole the
major AV vendors website and others by routing them to 127.0.0.1. 

Above compiled from various sources

Might help you

Regards

Steve Cummings


-----Original Message-----
From: michael_black () comcast net [mailto:michael_black () comcast net] 
Sent: 16 August 2005 03:21
To: pen-test () securityfocus com
Subject: MS05-039 Scanner

All,

Does anyone know of any available scanners for this vulnerability? I
know Tenable has a plugin for Nessus and eEye has a free one for up to
16 hosts, but I need one for a Class B network and I need it tonight
(long story, but I am sure some of you understand management pressures).
I know eEye sells a version of theirs for larger networks, but I cannot
get anyone on the phone at either Tenable or eEye, any suggestions?

------------------------------------------------------------------------
------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You
Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
------------------------------------------------------------------------
-------





------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.


Internet communications are not secure and therefore the Barclays 
Group does not accept legal responsibility for the contents of this 
message.  Although the Barclays Group operates anti-virus programmes, 
it does not accept responsibility for any damage whatsoever that is 
caused by viruses being passed.  Any views or opinions presented are 
solely those of the author and do not necessarily represent those of the 
Barclays Group.  Replies to this email may be monitored by the Barclays 
Group for operational or business reasons.

------------------------------------------------------------------------


------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]