Win32:Zotob

is an internet worm, using the Windows bug MS05-039 (Plug and Play Buffer Overflow, http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx) to penetrate the computer. This worm doesn’t spread by email.

The worm creates 300 threads that connect to random IP addresses. First it tests connection to port 445 and if successful, it tries to exploit the vulnerability. If the attack is successful, a shell (cmd.exe) is started on port 8888. Through the shell port, the worm sends a ftp script which instructs the remote computer to download and execute the worm from the attacker computer using FTP.

The file named "botzor.exe" is created in the system folder (one of C:\Windows\System, C:\Windows\System32, C:\WinNT\System32 depending on the Windows version) on an infected computer. Few registry keys are modified. The worm is activated by the registry item "WINDOWS SYSTEM" with the value "botzor.exe" in the keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

The "Shared Access" service is disabled by putting the value "4" to "Start" item of the key:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess

This service is required for Windows firewall function.

The worm runs an FTP server on the port 33333, and opens IRC connection to the server diabl0.turkcoders.net. This IRC connection might by used for remote control of the infected computer.

Win32:Zotob-B is like Zotob, but the worm file is named "csm.exe" and the registry item is named "csm Win Updates".

The Win32:Zobot-C file is named "per.exe". This version spreads also by email, in addition to the exploit infection channel. It collects mail addresses on the infected computer, and combines new addresses from found domains and list of names that is part of the worm. The infected mail has one of the following subjects "Confirmed...", "Hello", "Important!", "**Warning**", "Warning". The mail body could contain one of the folowing texts "hey!!", "looooool", "OK here is it!", "That’s your photo!!?", "We found a photo of you in...". The infected attachment can have one of extension .bat, .cmd, .exe, .pif or .scr and one of the names "image", "loool", "photo", "picture", "sample", "webcam photo", "your photo".

The Win32:Zotob-D uses the name "windrg32.exe". The worm file is saved to the subfolder "wbev" of the system folder, for example C:\Windows\System32\Wbev\windrg32.exe. It connects to few IRC servers. The worm tries to end processes with the names "botzor.exe", "cmesys.exe", "csm.exe", "cxtpls.exe", "ebatesmoemoneymaker.exe", "nhupdater.exe", "pnpsrv.exe", "qttask.exe", "realsched.exe", "viewmgr.exe", "winpnp.exe". It adds item named "WinDrg32" with the value "%system%\wbev\windrg32.exe" to the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. It deletes items of few different adwares and older versions of Zotob from this key and the key HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\RunOnce. It also deletes files and folders of those adwares.

Win32:Zotob-E uses filename "wintbp.exe". The item in the HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run key is named "wintbp".

avast! with VPS file dated on or after 16th August 2005 is able to detect this worm.

Viruse
Viruses in the Wild Windows Viruse Ältere Windows Viruse 2002 Ältere Windows Viruse 2001 Ältere Windows Viruse 2000 Script Viruse Macro Viruse Virus Berichts-Dokument Virus Berichts-Ergebnis Eicar Test-Datei VPS Rückblick
Mitgliedschafts-Service
VPS (iAVS) Mitgliesch. Service
avast! Virus Entferner
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2008 ALWIL Software a.s.
Home page
Viruses  windows viruses  Win32:Zotob