MS06-040 Worm Out
Results 1 to 4 of 4

Thread: MS06-040 Worm Out

  1. #1
    Senior Member
    Join Date
    Jan 2003

    MS06-040 Worm Out

    Hey Hey,

    For those of you that haven't patched yet... a worm (a variant of MocBot or a 'new' virus according to MS named Graweg) is circulating for MS06-040... it's fairly standard.. exploit, install a service.. service connects to IRC to wait out commands..

    LurHQ has a great analysis of the virus

    Mocbot first appeared in late 2005, using the MS05-039 PNP vulnerability in order to spread. Since it is fairly unremarkable IRC bot and was not even the first to use the MS05-039 exploit, it received little attention past the ordinary anti-virus writeups and signatures.

    Amazingly, this new variant of Mocbot, still uses the same IRC server hostnames as a command-and-control mechanism after all these months. This may be partially due to the low-profile it has held, but also may be due to the fact that the hostnames and ip addresses associated with the command-and-control servers are almost all located in China. Historically Chinese ISPs and government entities have been less-than-cooperative in taking action against malware hosted and controlled from within their networks.

    Little appears to have changed between previous Mocbot variants and the new one, except the replacement of the MS05-039 exploit with that of MS06-040. Primarily Mocbot resembles many other IRC bots, providing the controller with a backdoor on the infected host, along with the ability to launch a DDoS attack against other hosts, as well as being able to use the built-in exploit to spread to additional systems.

    This variant of mocbot copies itself to the system directory as wgareg.exe, and creates an NT service to run at startup called "Windows Genuine Advantage Registration Service". The description given to the service reads "Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.", in an attempt to discourage users from stopping it from running.

    Mocbot can also use AOL Instant Messenger to send instant messages using the victim's account. This could be a potential vector to allow the controller to trick users into downloading and executing the bot from an external URL, allowing it to penetrate firewalls like any other file downloaded over HTTP. Once inside a network, it could then spread using the MS06-040 exploit to vulnerable internal systems over TCP port 445. This underscores the danger of allowing unrestricted external instant messaging in a corporate environment, as it often introduces malware directly to users, bypassing perimeter controls.

    At the time of this writing, anti-virus detection is not especially broad, with only 1/3 of all anti-virus engines tested reporting the file as malware or flagging it as suspicious. None of them recognize it as a Mocbot variant.
    They also have snort signatures available on their site which they've submitted to bleeding snort.

    The MSRC blog is reporting this:

    Hey everyone, itís Adrian. Wanted to drop in and let you know where we are in our investigation of Win32/Graweg. As Iím sure youíve seen by now on our AV partner sites, this is rated as a low threat and doesnít at this time replicate automatically from machine to machine. So itís impact in terms of infection base appears to be extremely small. Weíve updated the security advisory related to MS06-040. What we know right now is that the attack affects specifically Windows 2000 computers who have not applied the MS06-040 update. Thus far we have not seen this attack impacting any other versions. We urge everyone to apply the update however, and should the situation change we will post more information and guidance as it becomes available.
    Keep the bolded portion in mind as you read this next writeup (the original from ISC):

    Over the weekend there was a botnet doing fairly wide scale scanning for hosts affected by the vulnerabilities in the MS06-040 advisory. While technically a botnet, it was spreading in a worm like fashion.
    Microsoft has updated Advisory 922437 due to this activity.

    My current goal is to obtain a copy of this worm for further analysis and to play with (I have a few cool ideas to log data) so if anyone has it come across could you please quarentine a copy and send it my way... PM it here in a zip or email it to me -- ht[at]

    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  2. #2
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    just a little head ups I heard that the patch MS06-40 may have an impact on HTTPs services and ceritficates so test the patch well before you deploy it (as usuall). I have moved jobs so I no longer have a W2K3 domain to play with so if any one has more concrete information on weather it does cause problems or not it would interest me.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

  3. #3
    Senior Member
    Join Date
    May 2006
    also, the patch changes ie settings to high automatically, or at least from what i've heard. firefox/opera/netscape/mozilla users are good though.

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Er0k- You are obviously confused, or repeating bad information. This patch only contains an update for the server service. It does nothing to IE. Specifically it does a check on the length of messages being submitted to the server service via RPC. It has nothing to do with IE.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts