Threat behavior
Backdoor:Win32/Mocbot.B is an IRC Trojan that may spread to a system via exploit of the Windows Server Service vulnerability described in Microsoft Security Bulletin MS06-040. The Trojan could also arrive as an attachment to an e-mail message or as a link in an e-mail, AIM, or ICQ message. When run, Backdoor:Win32/Mocbot.B does the following:
- Copies itself to the Windows System folder as "wgavm.exe"
- Registers itself as a service named "Windows Genuine Advantage Validation Monitor"
- Injects a process into explorer.exe which attempts to delete the original worm file
- Modifies the following registry subkeys in order to lower security settings on infected systems:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
EnableDCOM = "n"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
restrictanonymous = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
autoshareserver = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
Start = "4"
Connects to predefined IRC channels and awaits commands, which can include the ability to execute programs, download additional malicious software or updates, send system information to the attacker, conduct DoS attacks, send messages via AIM/ICQ, or exploit other systems.
When instructed, Backdoor:Win32/Mocbot.B begins searching the local network for systems which have not yet applied the Microsoft Windows Server Service security patch described in Microsoft Security Bulletin MS06-040. Vulnerable systems discovered will be exploited in order to run a copy of Backdoor:Win32/Mocbot.B and thereby repeat the infection process.
The exploit code used by Backdoor:Win32/Mocbot.B targets un-patched systems running Windows 2000 only. No other versions of Windows have been found to be vulnerable to the specific exploit code used by the Trojan. However, Backdoor:Win32/Mocbot.B could arrive on a system by other means; for example, attackers could send the Trojan as an attachment to an e-mail, or send a link to the infected file via e-mail or Instant Messaging.
Prevention
For specific prevention steps, refer to the "Suggested Actions" section of the Microsoft Security Advisory (922437) found at http://www.microsoft.com/technet/security/advisory/922437.mspx
Apply the following security tips to better protect your system in general:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with unexpected attachments.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Click Change Windows Firewall Settings.
Select On.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click System.
Click Automatic Updates.
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx
Use caution with unexpected attachments
Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources. Use extreme caution when accepting file transfers from known or unknown sources.
