English
Deutsch
Francais
Español
Italian
Home
Virus Info
Worm/Zotob.A
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
Worm/Zotob.A - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
Worm/Zotob.A
Date discovered:
16/08/2005
Type:
Worm
In the wild:
Yes
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Medium
Static file:
Yes
File size:
22.528 Bytes
MD5 checksum:
5C223D76A89AF8303777CD4C434F8707
VDF version:
6.31.1.108
General
Method of propagation:
• Local network
Aliases:
• Symantec: W32.Zotob.A
• Mcafee: W32/Zotob.worm.gen
• Kaspersky: Net-Worm.Win32.Mytob.cd
• TrendMicro: WORM_ZOTOB.A
• F-Secure: Zotob.A
• Sophos: W32/Zotob-A
• Panda: W32/Zotob.A.worm
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Blocks access to certain websites
• Blocks access to security websites
• Registry modification
• Makes use of software vulnerability
Files
It copies itself to the following location:
•
%SYSDIR%
\botzor.exe
It overwrites a file.
–
%SYSDIR%
\drivers\etc\hosts
Registry
The following registry keys are added in order to run the processes after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "WINDOWS SYSTEM"="botzor.exe"
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
• "WINDOWS SYSTEM"="botzor.exe"
The following registry key is changed:
– [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
Old value:
• "Start"=
%user defined settings%
New value:
• "Start"=dword:00000004
Network Infection
Exploit:
It makes use of the following Exploit:
–
MS05-039
(Vulnerability in Plug and Play)
IP address generation:
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.
Infection process:
Creates an FTP script on the compromised machine in order to download the malware to the remote location.
The downloaded file is stored on the compromised machine as:
%SYSDIR%
\haha.exe
IRC
To deliver system information and to provide remote control it connects to the following IRC Server:
Server: diabl0.tu**********ders.net
Port: 8080
Channel: #botzor elite
Nickname: [BOT]
%six-digit random character string%
Hosts
The host file is modified as explained:
– In this case existing entries are deleted.
– Access to the following domains is effectively blocked:
• www.symantec.com; securityresponse.symantec.com; symantec.com;
www.sophos.com; sophos.com; www.mcafee.com; mcafee.com;
liveupdate.symantecliveupdate.com; www.viruslist.com; viruslist.com;
viruslist.com; f-secure.com; www.f-secure.com; kaspersky.com;
kaspersky-labs.com; www.avp.com; www.kaspersky.com; avp.com;
www.networkassociates.com; networkassociates.com; www.ca.com; ca.com;
mast.mcafee.com; my-etrust.com; www.my-etrust.com;
download.mcafee.com; dispatch.mcafee.com; secure.nai.com; nai.com;
www.nai.com; update.symantec.com; updates.symantec.com; us.mcafee.com;
liveupdate.symantec.com; customer.symantec.com; rads.mcafee.com;
trendmicro.com; pandasoftware.com; www.pandasoftware.com;
www.trendmicro.com; www.grisoft.com; www.microsoft.com; microsoft.com;
www.virustotal.com; virustotal.com; www.amazon.com; www.amazon.co.uk;
www.amazon.ca; www.amazon.fr; www.paypal.com; paypal.com;
moneybookers.com; www.moneybookers.com; www.ebay.com; ebay.com
Backdoor
The following ports are opened:
–
%executed file%
on TCP port 33333 in order to provide an FTP server.
–
%executed file%
on a random TCP port
–
%executed file%
on TCP port 8888 in order to provide a remote Shell.
Miscellaneous
Mutex:
It creates the following Mutex:
• B-O-T-Z-O-R
String:
Furthermore it contains the following strings:
• Botzor2005 Made By .... Greetz to good friend Coder. Based On HellBot3
• MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!
See a brief description
here
.
Description inserted by Dragos Tomescu on Tue, 16 Aug 2005 15:29 (GMT+1)
Description updated by Dragos Tomescu on Tue, 30 Aug 2005 11:24 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
Worm/Mytob.AT
Worm/Mytob.U
TR/Crypt.CFI.Gen
Worm/Netsky.J
Worm/Mytob.AD
HEUR/PDF.Obfuscated
SPR/mIRC.Gen
TR/Crypt.UPKM.Gen
JS/Dldr.Agent.cex
TR/Dldr.Tiny.bqw
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info Worm/Zotob.A
Print this page
.gif)
