English
Deutsch
Francais
Español
Italian
Home
Virus Info
Worm/Bozori.F
Search
Home
Support
Solutions
Products
Downloads
Virus Info
Statistics
Phishing Worldmap
VDF History
Virus Science
Submit Sample
Security News
Viruses In the Wild
Company
Press
Partners
Newsletter
Worm/Bozori.F - Worm
See also
Summary
Full description
Statistics
How would you rate this information?
Worthless
Excellent
Virus:
Worm/Bozori.F
Date discovered:
04/10/2005
Type:
Worm
In the wild:
No
Reported Infections:
Low
Distribution Potential:
Medium
Damage Potential:
Medium
Static file:
Yes
File size:
19.968 Bytes
MD5 checksum:
1067520f225d7429e0edba491e4b6db5
VDF version:
6.31.1.212
General
Method of propagation:
• Local network
Aliases:
• Mcafee: W32/Bozori.worm.f
• Kaspersky: Net-Worm.Win32.Bozori.f
• TrendMicro: WORM_ZOTOB.P
• Bitdefender: Win32.Worm.Zotob.N
Platforms / OS:
• Windows 95
• Windows 98
• Windows 98 SE
• Windows NT
• Windows ME
• Windows 2000
• Windows XP
• Windows 2003
Side effects:
• Registry modification
• Makes use of software vulnerability
• Third party control
Files
It copies itself to the following location:
•
%SYSDIR%
\winwsl.exe
It deletes the initially executed copy of itself.
The following file is created:
– A file that is for temporary use and it might be deleted afterwards:
•
%TEMPDIR%
\
%random character string%
.bat
Registry
The following registry key is added in order to run the process after reboot:
– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
• "winwsl.exe"="winwsl.exe"
Network Infection
Exploit:
It makes use of the following Exploit:
–
MS05-039
(Vulnerability in Plug and Play)
IP address generation:
It creates random IP addresses and tries to establish a connection with them.
Infection process:
Creates a TFTP script on the compromised machine in order to download the malware to the remote location.
IRC
To deliver system information and to provide remote control it connects to the following IRC Server:
Server: 66.252.12.254
Port: 6664
Channel: #vnd
Nickname:
%random character string%
Process termination
List of processes that are terminated:
• botzor.exe; csm.exe; HPSV.exe; llsrv.exe; mousebm.exe; per.exe;
pnpsrv.exe; service32.exe; ssl.exe; svnlitup32.exe; system32.exe;
upnp.exe; winbnl.exe; winksl.exe; winpnp.exe; winrvl.exe; wintbp.exe;
wintbpx.exe; wintnl.exe; wintnpx.exe; wpa.exe
Miscellaneous
Mutex:
It creates the following Mutex:
• winwsl.exe
File details
Programming language:
The malware program was written in MS Visual C++.
Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• UPX
See a brief description
here
.
Description inserted by Iulia Diaconescu on Thu, 06 Oct 2005 12:13 (GMT+1)
Description updated by Iulia Diaconescu on Tue, 11 Oct 2005 09:42 (GMT+1)
»
About Malware
»
About Phishing
»
Viruses In the Wild
« back
Print this page
Worm/Mytob.AT
Worm/Mytob.U
TR/Crypt.CFI.Gen
Worm/Netsky.J
Worm/Mytob.AD
HEUR/PDF.Obfuscated
SPR/mIRC.Gen
TR/Crypt.UPKM.Gen
JS/Dldr.Agent.cex
TR/Dldr.Tiny.bqw
Get comfortable up to the minute info from Avira as
Detects and removes the following malware and its variants:
Worm/Sober.J
Worm/Sober.P
Worm/Sober.Y
W32/Stanit.A
Worm/NetSky.AA
Worm/NetSky.B.1
Worm/NetSky.C
Worm/Netsky.D.Dam
Worm/NetSky.P
Worm/NetSky.X
Worm/Mytob.IN.2
Worm/Mytob.KS
TR/Spy.Banker.AATZ
TR/Spy.Banker.AATZ.1
TR/Spy.Banker.AATZ.2
TR/Spy.Banker.AATZ.3
Download here
Click
here
to get the panel...
© 2008 Avira GmbH
Copyright
Privacy
Sitemap
Feedback
Imprint
FAQ
Contact
Virus Info Worm/Bozori.F
Print this page
.gif)
