McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Zotob.A (Symantec)

• W32/Zotob.worm.gen

• Zotob.A (F-Secure)

Characteristics

This worm exploits the MS05-039 vulnerability.  There are at least 2 other W32/Sdbot based worms know to exist that also exploit this vulnerability.  They may be seen with the filenames pnpsrv.exe or winpnp.exe. 
See http://vil.nai.com/vil/content/v_135434.htm

This self-executing worm spreads by exploiting Windows2000 MS05-039 vulnerable systems in order to instruct those systems to download and execute the worm.

On Demand Scans may detect this threat as New Malware.n with the 4551 DAT files or newer.

VirusScan Enterprise 8.0i and Managed VirusScan's generic buffer overflow protection protects against code execution that may result from exploitation of MS05-039.

Symptoms

The worm creates the file botzor.exe in the WINDOWS SYSTEM directory and registry run keys are created to load the worm at startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "WINDOWS SYSTEM" = botzor.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  RunServices "WINDOWS SYSTEM" = botzor.exe

An additional registry change is made:

•  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
  SharedAccess "Start"  = 4 (default is 3)

The HOSTS file is appended to block access to anti-virus websites.  Appended HOSTS files are proactively detected as QHosts-35.

The worm contains BOT functionality.  It attempts to connect to diabl0.turkcoders.net on TCP port 8080 and join a specified channel to wait for further instructions.  Commands include:

• sysinfo (RAM, OS, uptime)
• download (to download and run a file)
• remove (to remove the worm)

Method of Infection

This worm creates 16 threads to scan for infectable systems.  The worm targets random class B IP addresses, sending SYN packets to TCP Port 445.  When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script (2pac.txt is the script file name) and launching FTP.EXE to download and execute the worm from the source system (via TCP port 33333, haha.exe is fetched).

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Zotob.A (Symantec)

• W32/Zotob.worm.gen

• Zotob.A (F-Secure)

Characteristics

Characteristics -

This worm exploits the MS05-039 vulnerability.  There are at least 2 other W32/Sdbot based worms know to exist that also exploit this vulnerability.  They may be seen with the filenames pnpsrv.exe or winpnp.exe. 
See http://vil.nai.com/vil/content/v_135434.htm

This self-executing worm spreads by exploiting Windows2000 MS05-039 vulnerable systems in order to instruct those systems to download and execute the worm.

On Demand Scans may detect this threat as New Malware.n with the 4551 DAT files or newer.

VirusScan Enterprise 8.0i and Managed VirusScan's generic buffer overflow protection protects against code execution that may result from exploitation of MS05-039.

Symptoms

Symptoms -

The worm creates the file botzor.exe in the WINDOWS SYSTEM directory and registry run keys are created to load the worm at startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "WINDOWS SYSTEM" = botzor.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  RunServices "WINDOWS SYSTEM" = botzor.exe

An additional registry change is made:

•  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
  SharedAccess "Start"  = 4 (default is 3)

The HOSTS file is appended to block access to anti-virus websites.  Appended HOSTS files are proactively detected as QHosts-35.

The worm contains BOT functionality.  It attempts to connect to diabl0.turkcoders.net on TCP port 8080 and join a specified channel to wait for further instructions.  Commands include:

• sysinfo (RAM, OS, uptime)
• download (to download and run a file)
• remove (to remove the worm)

Method of Infection

Method of Infection -

This worm creates 16 threads to scan for infectable systems.  The worm targets random class B IP addresses, sending SYN packets to TCP Port 445.  When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script (2pac.txt is the script file name) and launching FTP.EXE to download and execute the worm from the source system (via TCP port 33333, haha.exe is fetched).

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A