Content

W32/Sdbot.worm!MS05-039

Type
Virus
SubType
Internet Worm
Discovery Date
08/14/2005
Length
Varies
Minimum DAT
4558 (08/15/2005)
Updated DAT
5229 (02/13/2008)
Minimum Engine
5.1.00
Description Added
08/14/2005
Description Modified
08/15/2005 9:17 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

In typical Sdbot evolutionary fashion, MS05-039 exploit code has been added to the Sdbot virus family.  The same activity happened around DcomRPC, LSASS, and a host of other common vulnerabilities.  This description covers the initial MS05-039 flavored Sdbot.  At least one other MS05-039 exploiting Sdbot variant is known to exist, and at least 3 other SVKP repacks are also known.  Like many Sdbots, certain functionality is only activated upon receiving the appropriate command from a BOT commander.  If the bot is unable to connect to the hard coded server/channel, that functionality would not be executed.

They may be seen with the file names pnpsrv.exe or winpnp.exe.  It contains the same MS05-039 exploit code that is present in W32/Zotob.worm , and is believed to have been written by the same author.

The exploit propagation code works in the same fashion, by instructing remote systems to FTP the virus from the infected host to download and execute it locally.

VirusScan Enterprise 8.0i and Managed VirusScan's generic buffer overflow protection protects against code execution that may result from exploitation of MS05-039.

Symptoms

When run, the virus copies itself to the WINDOWS SYSTEM directory as PNPSERV.EXE and creates several registry keys:

  • HKEY_CURRENT_USER\Software\Microsoft\OLE "Windows PNP Server" = pnpsrv.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "Windows PNP Server" = pnpsrv.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    RunServices "Windows PNP Server" = pnpsrv.exe
  • HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa "Windows PNP Server" = pnpsrv.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole "Windows PNP Server" = pnpsrv.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "Windows PNP Server" = pnpsrv.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    RunServices "Windows PNP Server" = pnpsrv.exe
  • HKEY_CURRENT_USER\Software\Microsoft\OLE "Windows PNP Server" = pnpsrv.exe

The bot attempts to connect to a remote IRC server to receive commands from a BOT commander.

  • l33t.freeshellz.org (TCP 5232)

Commands include:

  • The ability to scan the network for vulnerable systems
  • Start an FTP server
  • DoS a specified target
  • Download and execute programs
  • Retrive system information
  • Open a remote shell

Method of Infection

This threat can be instructed to scan for MS05-039 exploitable systems.  When a  vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script and launching FTP.EXE to download and execute the worm from the source system.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

In typical Sdbot evolutionary fashion, MS05-039 exploit code has been added to the Sdbot virus family.  The same activity happened around DcomRPC, LSASS, and a host of other common vulnerabilities.  This description covers the initial MS05-039 flavored Sdbot.  At least one other MS05-039 exploiting Sdbot variant is known to exist, and at least 3 other SVKP repacks are also known.  Like many Sdbots, certain functionality is only activated upon receiving the appropriate command from a BOT commander.  If the bot is unable to connect to the hard coded server/channel, that functionality would not be executed.

They may be seen with the file names pnpsrv.exe or winpnp.exe.  It contains the same MS05-039 exploit code that is present in W32/Zotob.worm , and is believed to have been written by the same author.

The exploit propagation code works in the same fashion, by instructing remote systems to FTP the virus from the infected host to download and execute it locally.

VirusScan Enterprise 8.0i and Managed VirusScan's generic buffer overflow protection protects against code execution that may result from exploitation of MS05-039.

Symptoms

Symptoms -

When run, the virus copies itself to the WINDOWS SYSTEM directory as PNPSERV.EXE and creates several registry keys:

  • HKEY_CURRENT_USER\Software\Microsoft\OLE "Windows PNP Server" = pnpsrv.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "Windows PNP Server" = pnpsrv.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    RunServices "Windows PNP Server" = pnpsrv.exe
  • HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa "Windows PNP Server" = pnpsrv.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole "Windows PNP Server" = pnpsrv.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "Windows PNP Server" = pnpsrv.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    RunServices "Windows PNP Server" = pnpsrv.exe
  • HKEY_CURRENT_USER\Software\Microsoft\OLE "Windows PNP Server" = pnpsrv.exe

The bot attempts to connect to a remote IRC server to receive commands from a BOT commander.

  • l33t.freeshellz.org (TCP 5232)

Commands include:

  • The ability to scan the network for vulnerable systems
  • Start an FTP server
  • DoS a specified target
  • Download and execute programs
  • Retrive system information
  • Open a remote shell

Method of Infection

Method of Infection -

This threat can be instructed to scan for MS05-039 exploitable systems.  When a  vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script and launching FTP.EXE to download and execute the worm from the source system.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A