main

New Worm Targets MS05-039 Vulnerability

Steven Parker   on 15 August 2005 - 09:27 · 30 comments & 1617 views

Advertisement (Why?)
McAfee is reporting an outbreak of a new worm that affects Windows 2000 and pre Windows XP SP2 users.

The worm creates 16 threads to scan for infectable systems. The worm targets random class B IP addresses, sending SYN packets to TCP Port 445. When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script and launching FTP.EXE to download and execute the worm from the source system.

This worm exploits the MS05-039 vulnerability. There are at least 2 other W32/Sdbot based worms know to exist that also exploit this vulnerability. They may be seen with the filenames pnpsrv.exe or winpnp.exe.

View: Details & Fix Information @ McAfee
View: MS05-039 Bulletin & Fixes @ Microsoft

Source: Thanks Jon for posting this in Back Page News on our forums.



Share this Article

About the Author

Full name: Steven Parker
User name: Neobond
Contact: via forum PM
Submissions: View All
More: View Bio   New!

Related news

Post a comment · Send to friend Comments · There are 30 additional comments
(7 replies) #1 HoochieMamma on 15 Aug 2005 - 09:30
And people STILL think there's nothing wrong with not installing SP2....
#1.1 WindowsNT on 15 Aug 2005 - 09:54
yea, Windows XP users must upgrade to SP2 !
#1.2 Darknm on 15 Aug 2005 - 13:15
screw sp2, router firewalls are where its at
#1.3 shao on 15 Aug 2005 - 13:51
because hardware appliances are immune to exploits.
try telling cisco that!
#1.4 sphbecker on 15 Aug 2005 - 14:04
For now SP1 people can still install the fix, but the day will soon come where Microsoft will only publish fixes to SP2. So people will be forced to install it to stay current.

As for firewalls, yes you should have one, but what happens if someone brings an infected laptop inside your network? Perimeter security may work for very small networks, but you really need more (as we all found out with the Blaster).
#1.5 Echelon Left on 15 Aug 2005 - 15:26
QUOTE

And people STILL think there's nothing wrong with not installing SP2....

And you're basing this on MS05-039?
Let's take a look at which versions of Windows MS says are affected, shall we?
QUOTE

• Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
• Microsoft Windows XP Professional x64 Edition
• Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
• Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems

Hey, look at that. Both XPsp1 AND XPsp2 are affected.
You know what that means, HoochieMama?
(I know; I'm just wondering if you do.)
#1.6 sphbecker on 15 Aug 2005 - 16:14
The SP2 code may be effected, but it puts up the firewall by default. So most users with SP2 will be okay unless they went in a turned off their firewall.
#1.7 leojei on 15 Aug 2005 - 18:12
As noted in the Security Bulletin, only Windows 2000 with this vulnerability is at risk being exploited remotely and anonymously. For XP, XP SP1, XP SP2, Win2k3, an valid logon credential is needed for exploiting - means it can't be exploited remotely.
(2 replies) #2 Krome on 15 Aug 2005 - 09:54
I thought this patch was posted here on Neowin a week ago...
#2.1 Neobond on 15 Aug 2005 - 10:06
It was, but now theres a worm that targets the vulnerability. That makes it a totally different story
#2.2 shao on 16 Aug 2005 - 10:44
the kb article has also been updated several times, which anyone who's subscribed to relevant microsoft mail list, would know.
#3 mad_onion on 15 Aug 2005 - 10:38
yeah im sure a lot of people (well the stupid ones who STILL dont have sp2 at least) will install this update now that a worm exists to exploit it. thats the problem people should install updates as soon as they are avaliable.
#4 Gowcra on 15 Aug 2005 - 11:15
not good for ppl without sp2
(1 reply) #5 beLIEve on 15 Aug 2005 - 12:54
Yeh I'm the sole survivor in my company because I manually updated my Win2k and XP last week. Nowadays you can't rely for automatic updates from the sysadmins ya know

Update: XP SP2 is affected, as much as w2ksp4 rollup 1 and w2k3 sp1 is.
#5.1 Jon on 15 Aug 2005 - 13:09
QUOTE
XP SP2 is affected, as much as w2ksp4 rollup 1 and w2k3 sp1 is.


Only if NULL Sessions have been manually enabled.

Check HKLMSYSTEMCurrentControlSetControlLsarestrictanonymoussam is set to 1. If it is, you should be ok.
#6 Lee McDermott on 15 Aug 2005 - 13:25
Here we go again...
(4 replies) #7 orion on 15 Aug 2005 - 14:36
Wow more fun than a network Mgr can have on a Monday
#7.1 Sub on 15 Aug 2005 - 14:59
Wow, me being the network manager that I am, these machines have already been updated VIA WSUS. Maybe you should look into that, because any comapny that got this worm doesnt have s*it for an IT deparment.
#7.2 Jon on 15 Aug 2005 - 16:06
Oh look, it's that same old "if you don't patch you suck, because I'm blind to the posibility that there could be issues beyond technical ability at play" statement from Sub. A virus thread wouldn't be the same without it!
#7.3 orion on 16 Aug 2005 - 00:07
HaHA Sub we use SMS forget WSUS 2000+ workstations....
#7.4 rogerroger on 16 Aug 2005 - 04:59
HaHA orion we use a tiered WSUS structure. Forget SMS, too complicated. 8500+ workstations
(1 reply) #8 RangerLG on 15 Aug 2005 - 14:49
Lets see if people start blaming Microsoft again when a fix has been available. Just like with Blaster.
#8.1 xpgeek on 15 Aug 2005 - 19:22
Wouldn't doubt it.
(5 replies) #9 Eli on 15 Aug 2005 - 15:48
HAHAHAHA I actually was infected by this (Kind of).

I had two disks of Windows XP. One was my original copy with SP1 slipstreamed and a copy my college gave me with SP2.

I had problems with my computer so I formatted and accidently put the SP1 disk in to re-install. I then tried updating everything but I noticed my computer FILLED with spyware right away. I tried to remove it all but it wasn't working. Then, I noticed FTP.exe and I was like "WTF MATE!". Did virus scans and everything at the time but because it was new, couldn't clear it out.

I had to finally find my XP SP2 disk and install from there because my SP1 was WAY too infected.
#9.1 threedaysdwn on 15 Aug 2005 - 17:07
So you plugged a non-patched computer directly into the WAN without a router/firewall and didn't turn the XP firewall on?
#9.2 voidpharoh on 15 Aug 2005 - 17:36
I guess some people never do learn the concept behind protecting themselves. It's a general rule for me that I never plug a computer in directly without some sort of hardware router/firewall or software firewall in place. I believe that prevention is the best way to stay, not relying solely on an Anti-Virus to clean up the mess after my PC is infected.

Yes, an Anti-Virus is a must now-a-days, but so is a Firewall or Router in my humble opinion.
#9.3 leojei on 15 Aug 2005 - 18:14
QUOTE
So you plugged a non-patched computer directly into the WAN without a router/firewall and didn't turn the XP firewall on?


haha~ how long did his comp last I wonder... 30 secs?
#9.4 Jugalator on 15 Aug 2005 - 23:28
QUOTE
didn't turn the XP firewall on?

He was on SP1 that time if I understand things correctly, and that version of XP is as we all know a swiss cheese when it comes to computer security. I feel a bit sorry for new XP users who haven't slipstreamed (it's far from an obvious and common procedure to do for novices).
#9.5 Eli on 16 Aug 2005 - 04:04
See, all I wanted to do was to get my computer up and running. I knew installing Windows XP without SP2 was going to be dangerious but I wanted to back up my data from my other Install (I was installing a second copy cause I couldn't access my first).

Now I'm running Windows XP SP2 fully patched thank you very much. Clean as can be. No spyware and no viruses. It was just the wrong CD that I grabbed that's all.
#10 AzN_Pride on 15 Aug 2005 - 18:08
Wouldn't the new AMD and Intel processor prevent Buffer Overflows ?

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.879) © 2000 - 2008 Neowin.net