lol..
This is a new detection from Symantec. It exploits MS05-039. http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.woe.html
The filename in question is...
%System%\update.pif
The hostnames and ports are (IP data retrieve from samspade.org)
64.27.3.26 water.omfgwtfbbq.biz TCP 4654 (IRC)
64.27.3.26 water.omfgwtfbbq.biz TCP 65529 (IRC)
64.27.3.26 your.urgentupdate.net TCP 1427 (IRC)
64.27.3.26 your.urgentupdate.net TCP 65528 (IRC)
It spreads on ports 139 and 445
The registry value is...
"System Update Service" = "update.pif"
The registry keys are ...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
-----Original Message-----
From: symalert@symantec.com [mailto:symalert@symantec.com]
Sent: Tuesday, September 06, 2005 2:34 PM
To:
Subject: W32.Spybot.WOE - Category 2 - Virus Definitions 09/06/05
Name: W32.Spybot.WOE
Category: 2
Virus Definitions: September 6, 2005 (US Pacific Time)
Type: Worm
W32.Spybot.WOE is a worm with back door capabilities that can be used to launch a distributed denial of service attack. The worm spreads by exploiting numerous vulnerabilities, including the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS05-039).
----------
For additional information, visit our website at http://securityresponse.symantec.com
This is a new detection from Symantec. It exploits MS05-039. http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.woe.html
The filename in question is...
%System%\update.pif
The hostnames and ports are (IP data retrieve from samspade.org)
64.27.3.26 water.omfgwtfbbq.biz TCP 4654 (IRC)
64.27.3.26 water.omfgwtfbbq.biz TCP 65529 (IRC)
64.27.3.26 your.urgentupdate.net TCP 1427 (IRC)
64.27.3.26 your.urgentupdate.net TCP 65528 (IRC)
It spreads on ports 139 and 445
The registry value is...
"System Update Service" = "update.pif"
The registry keys are ...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
-----Original Message-----
From: symalert@symantec.com [mailto:symalert@symantec.com]
Sent: Tuesday, September 06, 2005 2:34 PM
To:
Subject: W32.Spybot.WOE - Category 2 - Virus Definitions 09/06/05
Name: W32.Spybot.WOE
Category: 2
Virus Definitions: September 6, 2005 (US Pacific Time)
Type: Worm
W32.Spybot.WOE is a worm with back door capabilities that can be used to launch a distributed denial of service attack. The worm spreads by exploiting numerous vulnerabilities, including the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS05-039).
----------
For additional information, visit our website at http://securityresponse.symantec.com
