eScan : Secure – Scalable – Reliable : Antivirus, Content Security and Firewall Protection for Servers and Endpoints

eScan Wiki Forum

eScan Forum RSS

eScan Feeds

Home | Events | Bookmark | Recommend eScan | Technical Support

Our Vision | Management Profile | About us | Careers | News

Virus Information

Summary


Profile	Prevalence: Medium

Name	W32/Esbot-C
Type	Worm
How it spreads	Network Shares
Affected operating systems	Windows
Aliases	--
Date of surface	22 August 2005

Description

W32/Esbot-C is a worm that spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039), allowing a remote attacker access to the compromised computer.

It connects to the IRC server on the ypgw.wallloan.com domain on TCP port 18067 to listen for the following IRC commands:

Download and execute files
List, stop, and start processes and threads
Launch denial of service attacks
Find files on local hard disks
Scan for remotely exploitable computers

Recovery

You have to remove the virus. You need to do one of the following things:

1) The latest virus vaccine update of eScan removes the worm from your system. Ensure that Internet access for your system is running. Right click on

and click Download eScan update. The latest updates are downloaded,your system is scanned and the worm is removed.

OR

2) Download the free MicroWorld Anti Virus Toolkit (MWAV Tool Kit). The tool checks your machine for viruses. If any illegal dialers or sniffer tools have been installed they are detected.

MWAV Tool Kit
(Download the free MicroWorld Anti Virus Toolkit that detects viruses in system registry and running processes)

Link 1
Link 2
Link 3

eScan Internet Security Suite (ISS)
(Download MicroWorld`s eScan that detects viruses in system registry,running processes and has a real time monitor)

Link 1
Link 2
Link 3
Link 4
Link 5
Link 6

Advanced

W32/Esbot-C is a worm that spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039), allowing a remote attacker access to the compromised computer.

When W32/Esbot-C is executed, it performs the following actions:

Creates the mutex "ssl", so that only one instance of the worm runs at one time.

Copies itself as %System%\ssl.exe.

Runs itself as a service:

Service Name: ssl
Display Name: Microsoft SSL
Path to executable: %System%\ssl.exe

May inject itself into explorer.exe.

Modifies the value:
"EnableDCOM" = "N"
in the registry subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
to disable DCOM.

Adds the value:
"restrictanonymous" = "1"
to the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
to restrict anonymous access to network shares.

Creates the following read only file:
%Windir%\debug\dcpromo.log

Connects to the IRC server on the ypgw.wallloan.com domain on TCP port 18067 to listen for the following IRC commands:

Download and execute files
List, stop, and start processes and threads
Launch denial of service attacks
Find files on local hard disks
Scan for remotely exploitable computers

| More