 |
Severity:
Medium |
PhatBot Worm
Overview: Zone Labs has
identified a new worm labeled PhatBot rapidly spreading across the
Internet. PhatBot has been classified as "Medium Risk."
Computer users should take action to protect their systems if they
are vulnerable.
Date Published: March 17,
2004
Last Update: August 18, 2005
Impact: This worm attempts
to breach computer security in several ways, including:
- Shutting down antivirus and firewall software
- Collecting email addresses
- Stealing user name and passwords
- Username and password cracking
- Denial of Service attacks
- Stealing Microsoft Windows product IDs
PhatBot attempts to shut down ZoneAlarm® and ZoneAlarm Pro
firewalls. Because ZoneAlarm and ZoneAlarm Pro both employ process
protection and hardening, this attempt fails. PhatBot cannot shutdown
or manipulate ZoneAlarm or ZoneAlarm Pro. PhatBot does not attempt
to shutdown Integrity clients.
Description: The PhatBot worm uses the
following infection techniques and vulnerabilities to spread:
Microsoft vulnerabilities:
Computers infected with:
If a computer is infected with MyDoom or Bagle, PhatBot will use
these previous worm infections to install itself on the system.
Zone Labs Products: ZoneAlarm, ZoneAlarm
Plus, and ZoneAlarm Pro will prevent infection
and propagation via untrusted networks. Furthermore, Program Control
will alert the computer user when malicious code attempts to access
the network.
Integrity administrators should review observed programs for processes
named:
svrhost.exe; srvhost.exe. These process names are used by PhatBot
when it is successfully installed on a system.
Recommended Actions
ZoneAlarm Family:
- Ensure your system is patched with Microsoft patches:
RPC/DCOM (MS03-026)
WebDAV (MS03-007)
RPC/Locator (MS03-001)
- Monitor program control alerts for: svrhost.exe; srvhost.exe
[1].
- Monitor incoming/outgoing firewall alerts for TCP port 4387.
- Update antivirus products to provide the most up-to-date protection.
Related Resources:
Contact: Zone Labs customers who are
concerned about these vulnerabilities or have additional technical
questions may reach our Technical Support group at: http://www.zonelabs.com/store/content/support/support.jsp.
To report security issues with Zone Labs products contact security@zonelabs.com.
Disclaimer: The information in the advisory
is believed to be accurate at the time of publishing based on currently
available information. Use of the information constitutes acceptance
for use in an AS IS condition. There are no warranties with regard
to this information. Neither the author nor the publisher accepts
any liability for any direct, indirect, or consequential loss or
damage arising from use of, or reliance on, this information. Zone
Labs and Zone Labs products, are registered trademarks of Zone Labs
Incorporated. and/or affiliated companies in the United States and
other countries. All other registered and unregistered trademarks
represented in this document are the sole property of their respective
companies/owners.
Copyright: ©2004-2005 Zone Labs LLC
All rights reserved. Zone Labs, TrueVector, ZoneAlarm, and Cooperative
Enforcement are registered trademarks of Zone Labs LLC The Zone
Labs logo, Check Point Integrity and IMsecure are trademarks of Zone
Labs, Inc. Check Point Integrity protected under U.S. Patent No. 5,987,611.
Reg. U.S. Pat. & TM Off. Cooperative Enforcement is a service
mark of Zone Labs LLC All other trademarks are the property of
their respective owners.
Permission to redistribute this alert electronically is granted
as long as it is not edited in any way unless authorized by Zone
Labs. Reprinting the whole or part of this alert in any medium other
than electronically requires permission from Zone Labs.
|
