Mocbot
Date: October 26, 2005

It has been reported that a new bot net called IRC Mocbot is circulating in the wild. This bot is exploiting the Plug and Play service Buffer Overflow Vulnerability in Windows systems which has been described in CERT-In Vulnerability Note CIVN-2005-73 and Microsoft Security Bulletin MS05-039.

This worm installs itself in the directory c:\windows\system32 as wudpcom.exe and creates a service called wudpcom with display name windows UDP Communication

This bot first attempts to connect to the following IRC servers on TCP 18067:

• bbjj.househot.com
• ypgw.wallloan.com

The bot connects to a specified channel and awaits commands for launching a Distributed Denial of Service (DDoS) attack, Scanning for vulnerable systems and downloading and executing remote files.

Users may observe the following symptoms to detect the Mocbot activities:

• Heavy netbois and microsoft-ds network traffic
• Presense of the file wudpcom.exe in the WINDOWS SYSTEM directory
• TCP 18067 connections to bbjj.househot.com or ypgw.wallloan.com

Users are advised to apply patches mentioned in the Microsoft Security Bulletin MS05-039 and update their Anti Virus software.

References

• http://vil.nai.com/vil/content/v_136637.htm
• http://isc.sans.org/diary.php?date=2005-10-24
• http://www.f-secure.com/v-descs/mocbot.shtml

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91 11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003