Windows Server












Hi all,

Since this Monday, we GCR security team has received 14+ Crisit cases regarding the new worms which exploit the vulnerability fixed in MS08-067. We have found several variants of the following worms and submitted to AV team. (BTW: Our FCS has been able to clean most of prevalent Chinese malware in time and

1) Worm:Win32/Conficker.A (named by Forefront Client Security, the names of variant are like Conficker.gen!A)

2) Backdoor:Win32/IRCbot.BH (named by Forefront Client Security)

A Crisit spike is supposed to appear in the next days, so we prepared the following document for your reference. Once your team receive any similar case from customer, you can

First verify if it is caused by the worms above by following the instruction below;

If confirmed, please send action plan to customer and involve our team;



If customer reports one of the following symptoms, the system is probably infected:

1) High CPU Usage

SVCHOST.EXE may take very high CPU utilization.

2) Huge amounts of TCP connection to port 445

The system attempts to establish an abnormally large amount of TCP connections to other IP addresses under port 445. It also sends high volumes of ARP packets.




If following symptoms are observed, the system may have been attacked, often indicating unsuccessful exploiting

3) SVCHOST.EXE crash and all the services running in the same svchost.exe will exit abnormally;


Diagnostic Approach

If symptoms are matched in case of infection, you need to take the following steps to confirm the problem.

Steps taken to identify Worm: Win32/Conficker.A

1) Run Services.msc

Check the presence of a service without Description and with a Name of 4 to 8-bytes length is found.

This is a random service name (referred to as RANDOMSERVICENAME later) which changes every time after rebooting.

2) Run Regedit

Check this RANDOMSERVICENAME service in the registry


"ImagePath"= "C:\Windows\system32\svchost.exe -k netsvcs"



This particular DLL is 62xxx bytes is size which may differ according to each distinctive virus variants.

Steps taken to identify Backdoor:Win32/IRCbot.BH.

1) Run Regedit

2) Locate to two subkeys



3) Check the presence of one of the following registry values and data ; its existence indicates the infection

Value: "MS Gaurd Driver"

With data: "%ProgramFiles%\msgaurd.exe"

Value: "SoundMAX Driver"

With data: "%ProgramFiles%\soundmax.exe"

Value: "MediaAVI Driver"

With data: "%ProgramFiles%\mediaavi.exe"

If you have confirmed the problem, you can send the following Action Plan to the customer to deal with the worms:


Action Plan

For both the infected and uninfected systems, you need to:

Install the latest security patches on all the Windows systems

Note: It can protect the uninfected systems from the worms by installing security updates alone, but it can't solve the problems on the infected systems. The infected ones will still suffer from those symptoms and try to attack others.

For the infected systems, you need to:

Install and update antivirus software to the latest version. The following Antivirus are able to detect these two kind of worms up to 2008-11-25 6:00 UTC

Antigen-Ahnlab -

Antigen-Cavet -

Antigen-Microsoft -

Antigen-VBuster -

ESET - 3637 (20081124)

EZETrust - 31.6.0

EZETrust-Reviewer - 31.6.0

Kaspersky - 1.68

McAfee Beta - v5.2.00

Microsoft (Generic) - 1.4104 [retail]

Microsoft (Latest Internal) - 1.4104 [retail] (AV) (1.47.742.0) (AS) (1.47.742.0)

Microsoft (Released) - 1.4104 [retail] (AV) (1.47.726.0) (AS) (1.47.726.0)

Symantec - 20081124 09:33:01

Trend - (2008/04/06) (520300)

Before customer have installed security updates on all the Windows systems, need to:

Block any packet whose destination port is TCP 445 on all network devices by using ACL

Using domain policy to block any inbound and outbound access to TCP 445 port on all Windows System by using IPSec

Note: Blocking inbound access can protect the system from worms' attack, while blocking outbound access can prevent the infected system from attacking others. Windows Firewall can only block inbound traffic, so IPSec is required.


How to deploy IPSec to block TCP 445 in domain:

1. Create IPSec Policy

a) Open Domain Policy Console

b) Expand Console Root\Default Domain Policy\Computer Configuration\Windows Settings\Security Settings\

c) Right-click IP Security Policies, and then click Create IP Security Policy.

d) Click Next, and then type a name for your policy (for example, Block TCP 445 ). Click Next.

e) Click to clear the Activate the default response rule check box, and then click Next.

f) Click Finish (leave the Edit check box selected).

2. Build a Filter List

a) In the new policy properties, click to clear the Use Add Wizard check box, and then click Add to create a new rule.

b) Click the IP Filter List tab, and then click Add.

c) Type an appropriate name for the filter list (for example, TCP 445 ), click to clear the Use Add Wizard check box, and then click Add.

d) In the Source address box, click Any IP Address.

e) In the Destination address box, click Any IP Address.

f) Click the Protocol tab.

g) In the Select a protocol type box, click TCP.

h) In the Set the IP protocol port checklist, click To this port, and type 445.

i) Click OK.

j) In IP Filter List window, click OK.

3. Configure a Rule for Blocking TCP 445

a) Click the IP Filter List tab, and then click to select the filter list that you created.

b) Click the Filter Action tab, and then click to select Block.

c) Click Close. Click OK in Properties window.

4. Assign Your New IPSec Policy to Your Domain

In the IP Security Policies, right-click your new policy, and then click Assign. A green arrow appears in the folder icon next to your policy.

5. Update your policy at once

Run at client: GPUpdate /Target:Computer

If customer have difficulty in installing security patches, following workaround would help block the attacks:


Disable the Server and Computer Browser services

Disabling the Computer Browser and Server service on the affected systems will help protect systems from remote attempts to exploit this vulnerability.

You can disable these services by using the following steps:


Click Start, and then click Control Panel (or point to Settings and then click Control Panel).


Double-click Administrative Tools.


Double-click Services.


Double-click Computer Browser Service.


In the Startup type list, click Disabled.


Click Stop, and then click OK.


Repeat steps 4-6 for the Server service


Impact of Workaround

If the Computer Browser service is disabled, any services that explicitly depend on the Computer Browser service may log an error message in the system event log. For more information about the Computer Browser service, see Microsoft Knowledge Base Article 188001. If the Server service is disabled, you will not be able to share files or printers from your computer. However, you will still be able to view and use file shares and printer resources on other systems.

No TrackBacks

TrackBack URL: http://www.skar.us/site/mt-tb.cgi/3383

Leave a comment


Author Bio          ★★★★★

Author Name:         administrator
Author Location:    India
Author Rank:          Writer
Author Status:        
The Green leave stands!!



  • eBooks
  • Games
  • Softwares
  • Tools
  • Tweaks
  • Wallpapers
  • Warez
  • Games
  • Tools
  • Wallpapers
    System Administration
  • dll Center
  • Scripts
  • Tools
  • .extensions database
  • Write-up
  • Download Database
  • Jobs
  • Lists
  • Polls
  • Glossary

01000011 01110010 01100001 01100011 01101011 01111010 01101000 01100001 01100011 01101011