First MS05-047 malware found

We're currently looking at a botnet client known as "Mocbot". This botnet client has been spread using the MS05-047 vulnerability. This is the first case of using this vulnerability in malware we've seen.

Symptom of an infection is the existance of a file called wudpcom.exe in the SYSTEM directory. The botnet client tries to connect to two IRC servers in Russia, but the servers seem to be down (or overloaded). Info on this PnP vulnerability (not to be confused with the MS05-039 vulnerability used by Zotob) is available from the Microsoft web site.

Patch against this vulnerability was published in the last monthly update set from Microsoft. Patch now.

The vulnerability can be exploited via 139/TCP and 445/TCP. F-Secure : News from the Lab

Linked by shanmuga Sunday, 23rd October 2005 6:39AM