Sunday, October 23, 2005

MS05-047 first malware found: IRC.Mocbot

And now we have IRC.Mocbot ....
This botnet client has been spread using the MS05-047 vulnerability. This is the first case of using this vulnerability in malware I've seen. Symptom of an infection is the existance of a file called wudpcom.exe in the SYSTEM directory. The botnet client tries to connect to two IRC servers in Russia, but the servers seem to be down (or overloaded). Info on this PnP vulnerability (not to be confused with the MS05-039 vulnerability used by Zotob) is available from the Microsoft web site. Patch against this vulnerability was published in the last monthly update set from Microsoft. The vulnerability can be exploited via 139/TCP and 445/TCP.