Security experts today raised the risk assessment to high on the recently
discovered W32/IRCbot.worm!MS05-039 worm, which is also known as
IRCbot.worm!MS05-039. The worm, an Internet Relay Chat (IRC) Bot, includes the
ability to spread by exploiting systems that are not yet patched for the
MS05-039 vulnerability.
According to McAfee's AVERT antivirus team, the IRCbot.worm!MS05-039 worm has
emerged in the wild seven days following the initial announcement of the
Microsoft vulnerability, demonstrating the fastest time between the announcement
of a vulnerability and the success of a mass propagating exploit - even faster
than Sasser, which took 14 days.
"The vulnerability, which was announced by Microsoft on August 9, 2005, has
also been targeted by virus writers who produced multiple variants of the ever
expanding SDBot family, as well as a newly discovered family now known as Zotob,
" AVERT warned.
"The IRCbot.worm!MS05-039 worm was the first of these threats to mass
propagate successfully. To date, McAfee AVERT has received more than 150 reports
of the worm being stopped or infecting users from the field. Most of these
reports have arrived from the United States, although AVERT has also received
reports from Asia and Europe."
The IRCbot.worm!MS05-039, once activated, is designed to contact a remote IRC
server and wait for further instructions. If this worm is run on a system that
has not yet been patched for the MS05-039 vulnerability, it will continually
reboot. Infected systems will be listening on TCP port 8594.
When the file is run, the virus copies itself to the Windows System directory
(eg C:\Windows\System32\ on Windows XP) as WINTBP.EXE. The file can be run
automatically by exploiting the MS05-039 vulnerability or by a person directly
executing the worm.
More information on IRCbot.worm!MS05-039 can be
found
here.
Do you agree?
Have your say on this article