eScan : Secure – Scalable – Reliable : Antivirus, Content Security and Firewall Protection for Servers and Endpoints

eScan Wiki Forum

eScan Forum RSS

eScan Feeds

Home | Events | Bookmark | Recommend eScan | Technical Support

Our Vision | Management Profile | About us | Careers | News

Virus Information

Summary


Profile	Prevalence: Medium

Name	W32/Esbot-A
Type	Worm
How it spreads	Network Shares
Affected operating systems	Windows 2000
Aliases	W32/IRCbot.gen
Date of surface	19 August 2005

Description

Recovery

You have to remove the virus. You need to do one of the following things:

1) The latest virus vaccine update of eScan removes the worm from your system. Ensure that Internet access for your system is running. Right click on

and click Download eScan update. The latest updates are downloaded,your system is scanned and the worm is removed.

OR

2) Download the free MicroWorld Anti Virus Toolkit (MWAV Tool Kit). The tool checks your machine for viruses. If any illegal dialers or sniffer tools have been installed they are detected.

MWAV Tool Kit
(Download the free MicroWorld Anti Virus Toolkit that detects viruses in system registry and running processes)

Link 1
Link 2
Link 3

eScan Internet Security Suite (ISS)
(Download MicroWorld`s eScan that detects viruses in system registry,running processes and has a real time monitor)

Link 1
Link 2
Link 3
Link 4
Link 5
Link 6

Advanced

This is a worm that spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039).

It Runs itself as a service:

Service Name: mousebm
Display Name: Mouse Button Monitor
Description: Enables a computer to maintain synchronization with a PS/2 pointing device. Stopping or disabling this service will result in system instability.
Path to executable: %System%\mousebm.exe

Service Name: mousemm
Display Name: Mouse Movement Monitor
Description: Enables a computer to maintain synchronization with a PS/2 pointing device. Stopping or disabling this service will result in system instability.
Path to executable: %System%\mousemm.exe

Service Name: mousesync.exe
Display Name: Mouse Synchronization
Description: Enables a computer to maintain synchronization with a PS/2 pointing device. Stopping or disabling this service will result in system instability.
Path to executable: %System%\mousesync.exe

When W32/Esbot-A is executed, it performs the following actions:

Creates the following mutex so that only one copy of the worm runs on the compromised computer:

mousebm
mousemm
mousesync

Copies itself as one of the following,

%System%\mousebm.exe
%System%\mousemm.exe
%System%\mousesync.exe

Adds one of the following values:

"%System%\mousebm.exe"
"%System%\mousemm.exe"
"%System%\mousesync.exe"
in the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
according to which service is created.

Injects itself into explorer.exe.

Modifies the value:

"EnableDCOM" = "N"

in the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
to disable DCOM.

Adds the value:
"restrictanonymous" = "1"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
to restrict anonymous access to network shares.

Creates the following empty read_only file:
%Windir%\debug\dcpromo.log

Attempts to connect to one of the following IRC servers on TCP port 18067 to listen for IRC commands:

esxt.is-a-fag.net
esxt.legi0n.net

| More