Worm/Zotob.F - Worm

See also

Summary

Full description

Statistics

Virus:	Worm/Zotob.F
Date discovered:	17/08/2005
Type:	Worm
In the wild:	Yes
Reported Infections:	Medium
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	10.878 Bytes
MD5 checksum:	96AB4033143AD95744AA208C4DE7A053
VDF version:	6.31.1.130

General Method of propagation:
   • Local network

Aliases:
   • Symantec: W32.Zotob.F
   • Mcafee: W32/Bozori.worm.b
   • Kaspersky: Net-Worm.Win32.Bozori.b
   • TrendMicro: WORM_ZOTOB.F
   • F-Secure: Bozori.B
   • Sophos: W32/Zotob-F
   • Panda: W32/IRCbot.KL.worm

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Disable security applications
   • Makes use of software vulnerability

Files It copies itself to the following location:
• %WINDIR%\Sysdir32\wintbx.exe

It deletes the initially executed copy of itself.

The following file is created:

– %TEMPDIR%\%three-digit random character string%.bat Furthermore it gets executed after it was fully created. This batch file is used to delete a file.

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "wintbpx.exe"="wintbpx.exe"

Network Infection Exploit:
It makes use of the following Exploit:
– MS05-039 (Vulnerability in Plug and Play)

IP address generation:
It creates random IP addresses and tries to establish a connection with them.
It creates random IP addresses while it keeps the first two octets from its own address. Afterwards it tries to establish a connection with the created addresses.

Infection process:
Creates a TFTP script on the compromised machine in order to download the malware to the remote location.
The downloaded file is stored on the compromised machine as: %WINDIR%\%random character string%.exe

IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: 72.20.41.**********
Port: 6667
Channel: #tbp
Nickname: %random character string% 4 %random character string%

Process termination List of processes that are terminated:
   • botzor.exe; csm.exe; llsrv.exe; mousebm.exe; pnpsrv.exe;
      service32.exe; svnlitup32.exe; system32.exe; upnp.exe; winpnp.exe;
      wintbp.exe

Backdoor The following ports are opened:

– %executed file% on UDP port 69 in order to provide a TFTP server.
– %executed file% on TCP port 8563 in order to provide a remote Shell.

Miscellaneous Mutex:
It creates the following Mutex:
• wintbx.exe

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packers:
• UPX
• Yoda's Cryptor

See a brief description here.

Description inserted by Dragos Tomescu on Wed, 17 Aug 2005 14:35 (GMT+1)
Description updated by Dragos Tomescu on Tue, 30 Aug 2005 17:48 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back