Graweg NetApi32.dll Exploit

Exploit details:

There is a buffer overrun vulnerability in the Server service. By default the Server service listens on port 139 and port 445 and by sending a special crafted message to this port, then it is possible to execute malicious commands within the context of the Server service.

The following operating systems have this security hole:

• Windows 2000 SP1, SP2, SP3, SP4
• Windows XP SP1, SP2
• Windows 2003 SP1

This means that after having made a clean install of Windows 2000/XP/2003, and one connects to the Internet without a firewall activated, then one is vulnerable to attacks. The Graweg worm is the most common attacker.

Exploit side effects:

The Server service is not vital for the operation of Windows, but it resides in the netsvcs service wrapper along with other vital services like COM+ Event System and Network Service. When vulnerable to attacks then the service wrapper might crash, and cause COM+ applications to fail and block the network/internet access. One of the following messages are usually shown when it crashes:

*Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.

Faulting application svchost.exe, version 5.1.2600.2180, faulting module netapi32.dll, version 5.1.2600.2180, fault address 0x0000a3c0.

Faulting application svchost.exe, version 5.2.3790.1830, faulting module netapi32.dll, version 5.2.3790.1830, fault address 0x0000a2be.*

The result of the attacks is usually that the system becomes infected with a virus, which take control of the CPU and the Internet bandwidth, and it is then used for attacking other machines on the Internet.

Solution to prevent exploit:

1. Consider enabling a firewall to prevent future attacks (Like Windows XP Firewall)
2. Download and install the Microsoft patch MS06-040 Vulnerability in Server Service Could Allow Remote Code Execution (921883).
   • If unable to install the patch in normal mode, then boot in safemode and install it.
   • If installing the patch in safemode, then remember to reinstall the patch afterwards in normal mode. More Info MS KB818460
3. Download the newest virus database for your existing AntiVira Scanner and scan or use housecall.antivirus.com. (If using WinXP remember to turn off System Restore temporarily)
   • Sophos have created a dedicated removal tool CUEBTGUI
4. Check Windows Update to see if there are other critical patches for your system

Note it is possible to block the attacks without installing the patch by doing one of the following:

• Uninstall the network component “File and Printer Sharing for Microsoft Networks”
• Disable nbt.sys and block port 139 and 445

Exploiters:

More information about the Server service attackers:

• Graweg Mocbot Wargbot Cuebot-M (wgavm.exe - Windows Genuine Advantage Validation Monitor)