McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Zotob.C@mm (Symantec)

Characteristics

This variant is capable of mass-mailing itself using its own SMTP engine. This worm exploits the MS05-039 vulnerability.  See http://vil.nai.com/vil/content/v_135434.htm

This self-executing worm spreads by exploiting Windows2000 MS05-039 vulnerable systems in order to instruct those systems to download and execute the worm.

On Demand Scans may detect this threat as New Malware.n with the 4551 DAT files or newer.

VirusScan Enterprise 8.0i and Managed VirusScan's generic buffer overflow protection protects against code execution that may result from exploitation of MS05-039.

Symptoms

The worm creates the file PER.EXE in the WINDOWS SYSTEM directory and registry run keys are created to load the worm at startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "WINDOWS SYSTEM" = per.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  RunServices "WINDOWS SYSTEM" = per.exe
  

An additional registry change is made:

•  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
  SharedAccess "Start"  = 4 (default is 3)
  

The HOSTS file is appended to block access to anti-virus websites.  Appended HOSTS files are proactively detected as QHosts-35.

The worm contains BOT functionality.  It attempts to connect to diabl0.turkcoders.net on TCP port 8080 and join a specified channel to wait for further instructions.  Commands include:

sysinfo (RAM, OS, uptime)
download (to download and run a file)
remove (to remove the worm)

Method of Infection

This worm creates several threads to scan for infectable systems.  The worm targets random class B IP addresses, sending SYN packets to TCP Port 445.  When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script (2pac.txt is the script file name) and launching FTP.EXE to download and execute the worm from the source system (via TCP port 33333, haha.exe is fetched).  

Mail Propagation

The virus uses it's own SMTP engine to construct spoofed messages.  The virus may arrive in an email message as follows:

From: (Spoofed email sender - may choose from the following list)
Do not assume that the apparent sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server saying that you are infected, which may not be the case.

• john
• josh
• alex
• michael
• james
• mike
• kevin
• david
• george
• sam
• andrew
• jose
• leo
• maria
• jim
• brian
• serg
• mary
• ray
• tom
• peter
• robert
• bob
• jane
• joe
• dan
• dave
• matt
• steve
• smith
• stan
• bill
• bob
• jack
• fred
• ted
• paul
• brent
• sales
• anna
• brenda
• claudia
• debby
• helen
• jerry
• jimmy
• julie
• linda
• michael
• frank
• adam
• barbara
• erik
• contact
• sandra

The domain names are gathered from files with the following extensions:

• txt
• htm
• sht
• jsp
• cgi
• xml
• php
• asp
• dbx
• tbb
• adb
• pl
• html
• wab

Subject: (Varies, such as)

• Warning!!
• **Warning**
• Hello
• Confirmed...
• Important!

Message Body: Varies

• looooool
• We found a photo of you in ...
• That's your photo!!?
• hey!!
• 0K here is it!

Attachment :  May use the following filename:

• photo
• your_photo
• image
• picture
• sample
• loool
• webcam_photo

Using Extension:    pif, exe, scr, cmd and bat.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• W32.Zotob.C@mm (Symantec)

Characteristics

Characteristics -

This variant is capable of mass-mailing itself using its own SMTP engine. This worm exploits the MS05-039 vulnerability.  See http://vil.nai.com/vil/content/v_135434.htm

This self-executing worm spreads by exploiting Windows2000 MS05-039 vulnerable systems in order to instruct those systems to download and execute the worm.

On Demand Scans may detect this threat as New Malware.n with the 4551 DAT files or newer.

VirusScan Enterprise 8.0i and Managed VirusScan's generic buffer overflow protection protects against code execution that may result from exploitation of MS05-039.

Symptoms

Symptoms -

The worm creates the file PER.EXE in the WINDOWS SYSTEM directory and registry run keys are created to load the worm at startup:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  Run "WINDOWS SYSTEM" = per.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  RunServices "WINDOWS SYSTEM" = per.exe
  

An additional registry change is made:

•  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
  SharedAccess "Start"  = 4 (default is 3)
  

The HOSTS file is appended to block access to anti-virus websites.  Appended HOSTS files are proactively detected as QHosts-35.

The worm contains BOT functionality.  It attempts to connect to diabl0.turkcoders.net on TCP port 8080 and join a specified channel to wait for further instructions.  Commands include:

sysinfo (RAM, OS, uptime)
download (to download and run a file)
remove (to remove the worm)

Method of Infection

Method of Infection -

This worm creates several threads to scan for infectable systems.  The worm targets random class B IP addresses, sending SYN packets to TCP Port 445.  When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script (2pac.txt is the script file name) and launching FTP.EXE to download and execute the worm from the source system (via TCP port 33333, haha.exe is fetched).  

Mail Propagation

The virus uses it's own SMTP engine to construct spoofed messages.  The virus may arrive in an email message as follows:

From: (Spoofed email sender - may choose from the following list)
Do not assume that the apparent sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server saying that you are infected, which may not be the case.

• john
• josh
• alex
• michael
• james
• mike
• kevin
• david
• george
• sam
• andrew
• jose
• leo
• maria
• jim
• brian
• serg
• mary
• ray
• tom
• peter
• robert
• bob
• jane
• joe
• dan
• dave
• matt
• steve
• smith
• stan
• bill
• bob
• jack
• fred
• ted
• paul
• brent
• sales
• anna
• brenda
• claudia
• debby
• helen
• jerry
• jimmy
• julie
• linda
• michael
• frank
• adam
• barbara
• erik
• contact
• sandra

The domain names are gathered from files with the following extensions:

• txt
• htm
• sht
• jsp
• cgi
• xml
• php
• asp
• dbx
• tbb
• adb
• pl
• html
• wab

Subject: (Varies, such as)

• Warning!!
• **Warning**
• Hello
• Confirmed...
• Important!

Message Body: Varies

• looooool
• We found a photo of you in ...
• That's your photo!!?
• hey!!
• 0K here is it!

Attachment :  May use the following filename:

• photo
• your_photo
• image
• picture
• sample
• loool
• webcam_photo

Using Extension:    pif, exe, scr, cmd and bat.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A