Date: 14 August 2006
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
AusCERT Update AU-2006.0029 - [Win]
New MocBot variants exploiting recent Microsoft vulnerability
14 August 2006
AusCERT Update Summary
----------------------
Operating System: Windows Server 2003
Windows XP
Windows 2000
Impact: Administrator Compromise
Access: Remote/Unauthenticated
OVERVIEW:
Two new versions of the MocBot worm have emerged that exploit the
vulnerability described in Microsoft Bulletin MS06-040 [1][2].
These variants are currently active.
IMPACT:
Unpatched machines may be infected without user interaction. Once
infected that machine may be controlled remotely via IRC to spread
to further machines, launch denial of service attacks or other
malicious activities. Unsuccessful infection attempts may cause
Windows to crash.
MITIGATION:
Installing the patch listed in MS06-040 either manually or via
Windows or Microsoft Update effectively protects against this worm.
AusCERT recommends users examine their exposure to this worm and
patch as soon as possible.
DETAILS:
As MocBot contains hard-coded server names, administrators should
monitor for traffic to the following domain names and IPs as it may
be a sign of infection. Note that full-stops have been replaced with
commas.
bniu,househot,com
ypgw,wallloan,com
61,189,243,240
202,121,199,200
210,75,211,111
211,154,135,30
218,61,146,86
58,81,137,157
61,163,231,115
REFERENCES:
[1] Microsoft Bulletin MS06-040
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
[2] AusCERT Alert AL-2006.0064
http://www.auscert.org.au/6591
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRN/dYih9+71yA2DNAQKrAgQAmTKBUwzRhBJHcId50Dj27JKQ3GJ0spTL
TgGNUBeoWPmopzTHmKSTV08OprU8gET/3qZJRQVopRU7xjgahDwDki6l76G9r3+h
2hYgBm2PTCWAQlw4W4qcygTAFgcp1do6Tddm46G2yPvPylEnWwTxLABlONd2oZza
tJVa/qgW0aw=
=//C3
-----END PGP SIGNATURE-----
|