We have caught a live exploit against a Windows 2000 Server. The pcap packets of the exploit fire the signatures in snort for the vulnerability described in MS06-040.

We have multiple independent sources of reports at this time.

It looks like it's building a botnet (as we expected).
Signs defenders should look for:

• Filename: wgareg.exe, MD5: 9928a1e6601cf00d0b7826d13fb556f0 (this is the bot)
  
• Incoming traffic on 445/TCP but there is a lot of background noise on that port.
• Snort signatures firing on:
  
• BLEEDING-EDGE EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)  [Bleedingsnort]
  
• NETBIOS SMB-DS srvsvc NetrPathCanonicalize little endian overflow attempt [Sourcefire VRT]
  
• Outgoing traffic to bniu.househot.com:18067 (Command and Control center, multiple IPs, IRC)
• Outgoing traffic to ypgw.wallloan.com:18067 [we haven't seen those ourselves but do have multiple independent sources confirming it]
  
• Outgoing traffic to port 445/TCP (scanning for victims and exploiting them)
  

Since this is a botnet, these bots might do much more depending on what the controller has in store for them. So unfortunately you basically only have the choice to clean them by wiping the disk if you ever want to trust the machines again.

Please do not ask for samples at this point.
We have shared it with the usual anti-virus vendors already.

Should you find other activity of these bots or differing MD5, we would very much appreciate a copy at the contact page.

We ran the bot through virustotal:

Scan results
�File: wgareg.exe
�Date: 08/13/2006 03:03:43 (CET)
----
AntiVir         6.35.1.0/20060812������ found [HEUR/Crypted.Layered]
Authentium����� 4.93.8/20060812         found [Possibly a new variant of W32/Threat-HLLIM-based!Maximus]
Avast��         4.7.844.0/20060810����� found nothing
AVG����         386/20060811���         found nothing
BitDefender���� 7.2/20060813���         found [Generic.Malware.IXdld.658BDD6B]
CAT-QuickHeal�� 8.00/20060812��         found [(Suspicious) - DNAScan]
ClamAV�         devel-20060426/20060813 found nothing
DrWeb���        4.33/20060812�          found nothing
eTrust-InoculateIT����� 23.72.94/20060812������ found nothing
eTrust-Vet����� 30.3.3012/20060811����� found nothing
Ewido��         4.0/20060812���         found nothing
Fortinet������� 2.77.0.0/20060812������ found nothing
F-Prot�         3.16f/20060811�         found [Possibly a new variant of W32/Threat-HLLIM-based!Maximus]
F-Prot4         4.2.1.29/20060811������ found [W32/Threat-HLLIM-based!Maximus]
Ikarus�         0.2.65.0/20060811������ found nothing
Kaspersky������ 4.0.2.24/20060813������ found nothing
McAfee�         4827/20060811��         found nothing
Microsoft������ 1.1508/20060804         found nothing
NOD32v2         1.1704/20060811         found [a variant of Win32/IRCBot.OO]
Norman�         5.90.23/20060811������� found [W32/Suspicious_M.gen]
Panda��         9.0.0.4/20060812������� found [Suspicious file]
Sophos�         4.08.0/20060812         found nothing
Symantec������� 8.0/20060813���         found nothing
TheHacker������ 5.9.8.190/20060810����� found nothing
UNA����         1.83/20060811��         found nothing
VBA32��         3.11.0/20060811         found nothing
VirusBuster���� 4.3.7:9/20060812������� found nothing

wgareg.exe messes in the windows registry. One of the things it adds is a description of itself: "Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.". Right ... It also appears to change settings related to firewalls and sharing.

LURHQ has also a story on the same by Joe Stewart and they also found a variant of the binary with a different MD5 and slightly different behaviour.

Thanks to all involved: William, Jim, Scott, Dan and all those I forgot.

--
Swa Frantzen -- Section 66