jamescuarterodotcom

with the coming of a new school year comes yet another new MS vulnerability exploit that can lead to the insertion of a trojan known as ranky.x that sends out spam from an unknown TCP port. from cbl.abuseseat.org:

Commencing August 13th, we have been seeing large numbers of CBL detections caused by the vulnerabilities referenced in Microsoft’s MS06-040 security bulletin. At least one of the vulnerabilities can occur without users/administrators doing anything. If you are running Microsoft Windows, we strongly advise patching as soon as possible.

As we understand it, one of the vectors is an AIM (AOL IM) session that downloads a variety of very malicious bundles of software, including an IRCBOT (variant known as mocbot) and another piece of malware called “ranky”. The latter we believe is the spam trojan.

As reported by someone else:

Windows 2000 service pack 4 system compromised by Vulnerability in Server Service Which Allowed Remote Code Execution (921883) (Microsoft Security Bulletin MS06-040)

Four files installed in system:

C:\winnt\svchost.exe
C:\winnt\nt\nrcs.exe
C:\winnt\system32\.exe
C:\winnt\system32\wgareg.exe

Various registry items ran nrcs.exe and wgareg.exe on both system startup and user login.

regrun caught the registry changes but symantec’s AV definitions hadn’t been updated since 8/11; this trojan was released on the 16th and one of our servers got nailed. although i was able to scan, clean and patch up everything fairly quickly, now i have to deal with getting said server off of the four spamlists we’re on. the CBL is probably my favorite, as they are extremely helpful with determining how you got on their list, and what you can do to not only get delisted but how to prevent future delistings. that’s in direct contrast to spamcop’s attitude, which is basically “it’s your problem, not ours”. with any luck, we should be back to normal before the end of the weekend.