Penetration Testing mailing list archives
RE: MS05-039 Scanner
From: <Steve.Cummings () barclayscapital com>
Date: Tue, 16 Aug 2005 08:51:08 +0100
Attack vectors are over TCP ports 139 and 445. Opens up a FTP server on TCP port 33333 to propagate the worm to other systems. Attempts to contact an IRC server at wait.atillaekici.net - 84.244.1.11 to distribute compromised system information. Generates random IP addresses to attempt compromise using the MS05-039 vulnerability. Affects Windows 2000 and XP with NT4 a possibility but is unconfirmed. Once a system is compromised, it then downloads the backdoor payload from the infecting system's FTP server (on TCP port 33333). Creates a mutex called "B-O-T-Z-O-R" (minus the speech marks). Creates a file called %system%\botzor.exe for Zotob.A or %system%\csm.exe for Zotob.B. The worm creates the following registry entries so that it runs every time Windows starts. Zotob.A: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"WINDOW S SYSTEM" = "botzor.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices \"WINDOWS SYSTEM" = "botzor.exe" Zotob.B: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"csm Win Updates" = "csm.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices \"csm Win Updates" = "csm.exe" The worm also modifies the following registry key to change the Startup type of Windows Firewall/Internet Connection Sharing (ICS) to "Disabled": HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\"Start " = "0x00000004". Modifies the hosts file (%system%\drivers\etc\hosts) to blackhole the major AV vendors website and others by routing them to 127.0.0.1. Above compiled from various sources Might help you Regards Steve Cummings -----Original Message----- From: michael_black () comcast net [mailto:michael_black () comcast net] Sent: 16 August 2005 03:21 To: pen-test () securityfocus com Subject: MS05-039 Scanner All, Does anyone know of any available scanners for this vulnerability? I know Tenable has a plugin for Nessus and eEye has a free one for up to 16 hosts, but I need one for a Class B network and I need it tonight (long story, but I am sure some of you understand management pressures). I know eEye sells a version of theirs for larger networks, but I cannot get anyone on the phone at either Tenable or eEye, any suggestions? ------------------------------------------------------------------------ ------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------ For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. ------------------------------------------------------------------------ ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- MS05-039 Scanner michael_black (Aug 16)
- Re: MS05-039 Scanner Base64 (Aug 16)
- Re: MS05-039 Scanner Jeff Bryner (Aug 16)
- Re: MS05-039 Scanner rusty chiles (Aug 16)
- Re: MS05-039 Scanner Graeme Connell (Aug 18)
- Re: MS05-039 Scanner Matt Burrough (Aug 18)
- <Possible follow-ups>
- RE: MS05-039 Scanner Steve.Cummings (Aug 16)
- RE: MS05-039 Scanner MacEwen, Jeffrey B. (Aug 16)
- RE: MS05-039 Scanner Marc Maiffret (Aug 17)
- Re: MS05-039 Scanner fatb (Aug 18)
- Re: MS05-039 Scanner Byron L. Sonne (Aug 18)
- Re: MS05-039 Scanner michael_black (Aug 17)
- RE: MS05-039 Scanner Beauford, Jason (Aug 18)
- Re: MS05-039 Scanner fatb (Aug 19)
- Re: MS05-039 Scanner David Cravshaw (Aug 19)
- RE: MS05-039 Scanner MacEwen, Jeffrey B. (Aug 19)