Security Alerts
August 16, 2005
Esbot/Zotob Worms Hit Campus
August 22, 2005 Update
Standalone removal tools are now available from Symantec for the following worms:
The following strains can be removed by a full scan with updated SAV definitions:
Summary
On Aug 15, 2005, two worm strains infected over a thousand computers at Stanford. Most of the infections took place between 1pm and 5pm. Some of the infections were from the "Zotob" worm that appeared over the weekend, but most were of a previously unseen type that was identified today as "Esbot". Both were exploits of one of the vulnerabilities announced in last week's Microsoft alert.
In response to the outbreak, the BigFix team has pushed patches to vulnerable machines and Networking has applied filters to prevent the spread of the worms and stop them from contacting their control sites. The number of actively scanning machines is less than 10% of what it was at its peak yesterday, and the rate of new infections is down to less than 5 machines per hour (about 1% of yesterday's peak).
The Information Security Office will send notices directly to those that still appear to be vulnerable and to those who have exhibited scanning behavior characteristic of the worm.
What to Do
Please continue to update the OS patches and anti-virus signatures on your Windows computers. In particular, you can expect frequent anti-virus signature updates as new variants appear in the next several days. We also recommend running a complete virus-scan.
Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.
LNAs can contact the Information Security Office for a list of machines with symptoms of infection.
Technical Detail
The infection seems to have started sometime between 1:00pm and 2:00pm on August 15. It spread at an initial rate of roughly 500 machines per hour until network filters were installed. At 5:00pm it had dropped to 70 machines per hour, and since 6:00pm new infections have been trickling in at less than 5 per hour.
The total infection rate among machines with BigFix installed was around 3%. In contrast, roughly 20% of Windows machines without BigFix were infected.
For current information on these worms, see Symantec's pages at:
- http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.a.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.b.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.a.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.b.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.c@mm.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.d.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.e.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.f.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.g.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.h.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.i.html
Symantec has a standalone removal tool for several strains of Zotob available from their web site.
Esbot infects machines by installing itself as the "Mouse Button Monitor Service". Symantec has a standalone removal tool for Esbot.A, and it may also be removed by a fully updated Symantec Antivirus scan. In case you encounter a newer strain of the worm or the removal tool fails, the following advice comes from ITSS Client Support and the BigFix team:
What to do if Symantec AntiVirus will not remove mousebm.exe. If it fails, why it fails:
The "Mouse Button Monitor Service" (mousebm.exe) will restart if it is shut down (either through task manager or external utilities such as pskill). And/or Task Manager refuses to shut down mousebm.exe (access is denied error).
If mousebm.exe is not stopped, SAV will not be able to quarantine or delete it. To get around this problem:
- From the service control manager, navigate to the "Mouse Button Monitor" service
- Change the Startup type to "Disabled"
- You can use sysinternals pskill to kill the mousebm.exe process (pskill mousebm.exe), or simply reboot and continue to step 4.
- Delete the registry key "mousebm" from HKLM\SYSTEM\CurrentControlSet\Services. (The "Mouse Button Monitor" service will still be visible in the GUI until you reboot again.)
- Run a SAV scan
- Delete any quarantined files from SAV
- Reboot.
This procedure is a stop-gap measure and doesn't insure 100% disinfection as other files could have already been loaded on the machine, silently waiting to be started.
References
Additional information regarding the MS05-039 vulnerability is available at
- http://securecomputing.stanford.edu/alerts/windows-ms05-aug.html
- http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
Information on the Esbot and Zotob worms is available at
- http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.a.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.b.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.a.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.b.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.c@mm.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.d.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.e.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.f.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.g.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.h.html
- http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.i.html
Information on the ControlSet registry keys:
The Information Security Office would like to thank several groups in ITSS - including the BigFix team, Networking, and Client Support - for their great work in responding to this incident and for their assistance in producing this alert.