How to remove w32 ircbot.worm
Tuesday, December 8, 2009
Symptoms -
If this worm is run on a system which has not yet been patched for the MS05-039 vulnerability, it may reboot.
Method of Infection
Method of Infection -
This threat scans for MS05-039 exploitable systems. When a vulnerable system is found, it uses a buffer overflow to write the worm file to that machine via a TFTP upload on port 8594. Blocking this port via McAfee Desktop Firewall or McAfee Personal Firewall will prevent infection even if the buffer overflow is not prevented.
Removal -
AVERT DATS
Use specified engine and DAT files (or later) for detection and removal. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
McAfee Intrushield
Sigsets released on Aug 9th, 2005 will detect this as:
DCERPC: Microsoft Plug and Play Service Buffer Overflow (0x47602000)
Stinger
Stinger has been updated to help detect and repair this threat.
McAfee Managed VirusScan
Buffer Overflow Protection blocks the worm from exploiting vulnerable systems.
McAfee Entercept
McAfee Entercept prevents the vulnerable system from being exploited with Level 1 protection enabled.
McAfee VirusScan Enterprise 8.0i
Buffer Overflow Protection blocks the worm from exploiting vulnerable systems. Additionally, systems running VirusScan Enterprise with the "Prevent creation of new files in the System32 folder (.exe)" access protection rule set to "Block access" will be protected from infection, though the buffer overflow may still occur on unpatched systems.
Note: this rule if set to all processes will also block legitimate updates to files in the Windows directory, such as when applying security patches, so will need to be disabled while such legitimate activity is occurring.
The User-defined Detection feature of the Unwanted Programs Policy can also be used to prevent replication of the worm, by adding a detection for wintbp.exe as shown below
If this worm is run on a system which has not yet been patched for the MS05-039 vulnerability, it may reboot.
Method of Infection
Method of Infection -
This threat scans for MS05-039 exploitable systems. When a vulnerable system is found, it uses a buffer overflow to write the worm file to that machine via a TFTP upload on port 8594. Blocking this port via McAfee Desktop Firewall or McAfee Personal Firewall will prevent infection even if the buffer overflow is not prevented.
Removal -
AVERT DATS
Use specified engine and DAT files (or later) for detection and removal. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
McAfee Intrushield
Sigsets released on Aug 9th, 2005 will detect this as:
DCERPC: Microsoft Plug and Play Service Buffer Overflow (0x47602000)
Stinger
Stinger has been updated to help detect and repair this threat.
McAfee Managed VirusScan
Buffer Overflow Protection blocks the worm from exploiting vulnerable systems.
McAfee Entercept
McAfee Entercept prevents the vulnerable system from being exploited with Level 1 protection enabled.
McAfee VirusScan Enterprise 8.0i
Buffer Overflow Protection blocks the worm from exploiting vulnerable systems. Additionally, systems running VirusScan Enterprise with the "Prevent creation of new files in the System32 folder (.exe)" access protection rule set to "Block access" will be protected from infection, though the buffer overflow may still occur on unpatched systems.
Note: this rule if set to all processes will also block legitimate updates to files in the Windows directory, such as when applying security patches, so will need to be disabled while such legitimate activity is occurring.
The User-defined Detection feature of the Unwanted Programs Policy can also be used to prevent replication of the worm, by adding a detection for wintbp.exe as shown below
