W32/IRCbot worm beats Sasser record

Experts raise risk assessment

Robert Jaques, vnunet.com 17 Aug 2005

Security experts today raised the risk assessment to high on the recently discovered W32/IRCbot.worm!MS05-039 worm, which is also known as IRCbot.worm!MS05-039. The worm, an Internet Relay Chat (IRC) Bot, includes the ability to spread by exploiting systems that are not yet patched for the MS05-039 vulnerability.

According to McAfee's AVERT antivirus team, the IRCbot.worm!MS05-039 worm has emerged in the wild seven days following the initial announcement of the Microsoft vulnerability, demonstrating the fastest time between the announcement of a vulnerability and the success of a mass propagating exploit - even faster than Sasser, which took 14 days.

"The vulnerability, which was announced by Microsoft on August 9, 2005, has also been targeted by virus writers who produced multiple variants of the ever expanding SDBot family, as well as a newly discovered family now known as Zotob, " AVERT warned.

"The IRCbot.worm!MS05-039 worm was the first of these threats to mass propagate successfully. To date, McAfee AVERT has received more than 150 reports of the worm being stopped or infecting users from the field. Most of these reports have arrived from the United States, although AVERT has also received reports from Asia and Europe."

The IRCbot.worm!MS05-039, once activated, is designed to contact a remote IRC server and wait for further instructions. If this worm is run on a system that has not yet been patched for the MS05-039 vulnerability, it will continually reboot. Infected systems will be listening on TCP port 8594.

When the file is run, the virus copies itself to the Windows System directory (eg C:\Windows\System32\ on Windows XP) as WINTBP.EXE. The file can be run automatically by exploiting the MS05-039 vulnerability or by a person directly executing the worm.

More information on IRCbot.worm!MS05-039 can be found here.

See also: