02-21-2007, 03:16 PM
McAfee is reporting an outbreak of a new worm that affects Windows 2000 and pre Windows XP SP2 users.
The worm creates 16 threads to scan for infectable systems. The worm targets random class B IP addresses, sending SYN packets to TCP Port 445. When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script and launching http://FTP.EXE to download and execute the worm from the source system.
This worm exploits the MS05-039 vulnerability. There are at least 2 other W32/Sdbot based worms know to exist that also exploit this vulnerability. They may be seen with the filenames pnpsrv.exe or winpnp.exe.
The worm creates 16 threads to scan for infectable systems. The worm targets random class B IP addresses, sending SYN packets to TCP Port 445. When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script and launching http://FTP.EXE to download and execute the worm from the source system.
This worm exploits the MS05-039 vulnerability. There are at least 2 other W32/Sdbot based worms know to exist that also exploit this vulnerability. They may be seen with the filenames pnpsrv.exe or winpnp.exe.
