McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Sophos: W32/Zotob-F

• Symantec: W32.Zotob.F

Characteristics

This detection is for a worm that propagates by exploiting systems which are not yet patched for the MS05-039 vulnerability. It is similar to the recent W32/IRCBot.worm!MS05-039 variant. 

IRC functionality

This worm is designed to contact a remote IRC server (IP address is hard-coded in the worm's body - 72.20.41.139 ) to join a channel (#tbp ) and wait for further instructions. The IRC functionality is very limited, but seems to provide the ability to:

• stop the IRC bot
• remove the bot from the infected machine
• download files from remote machine

Process Termination

The worm is intended to terminate several processes related to other recent MS05-039 aware worms. The processes it attempts to kill are:

• wintbp.exe
• svnlitup32.exe
• service32.exe
• mousebm.exe
• llsrv.exe
• pnpsrv.exe
• winpnp.exe
• csm.exe
• system32.exe
• botzor.exe
• upnp.exe

Symptoms

If this worm is run on a system which has not yet been patched for the MS05-039 vulnerability, it will continually reboot.

Method of Infection

Installation

When the file is run the virus copies itself to the Windows System directory as WINTBPX.EXE, for example:

C:\WINDOWS\SYSTEM32\WINTBPX.EXE

Registry keys are created to load the worm at system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "wintbpx.exe" = wintbpx.exe

Propagation

This threat scans for MS05-039 exploitable systems. When a vulnerable system is found, it uses a buffer overflow to write the worm file to that machine via a TFTP upload on port 8563.

Blocking this port via McAfee Desktop Firewall or McAfee Personal Firewall will prevent infection even if the buffer overflow itself is not prevented.

Also, removal of TFTP.EXE (or blocking its execution via VSE 8.0i access protection) would prevent the vulnerable machine downloading the worm from an infected machine.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Sophos: W32/Zotob-F

• Symantec: W32.Zotob.F

Characteristics

Characteristics -

This detection is for a worm that propagates by exploiting systems which are not yet patched for the MS05-039 vulnerability. It is similar to the recent W32/IRCBot.worm!MS05-039 variant. 

IRC functionality

This worm is designed to contact a remote IRC server (IP address is hard-coded in the worm's body - 72.20.41.139 ) to join a channel (#tbp ) and wait for further instructions. The IRC functionality is very limited, but seems to provide the ability to:

• stop the IRC bot
• remove the bot from the infected machine
• download files from remote machine

Process Termination

The worm is intended to terminate several processes related to other recent MS05-039 aware worms. The processes it attempts to kill are:

• wintbp.exe
• svnlitup32.exe
• service32.exe
• mousebm.exe
• llsrv.exe
• pnpsrv.exe
• winpnp.exe
• csm.exe
• system32.exe
• botzor.exe
• upnp.exe

Symptoms

Symptoms -

If this worm is run on a system which has not yet been patched for the MS05-039 vulnerability, it will continually reboot.

Method of Infection

Method of Infection -

Installation

When the file is run the virus copies itself to the Windows System directory as WINTBPX.EXE, for example:

C:\WINDOWS\SYSTEM32\WINTBPX.EXE

Registry keys are created to load the worm at system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "wintbpx.exe" = wintbpx.exe

Propagation

This threat scans for MS05-039 exploitable systems. When a vulnerable system is found, it uses a buffer overflow to write the worm file to that machine via a TFTP upload on port 8563.

Blocking this port via McAfee Desktop Firewall or McAfee Personal Firewall will prevent infection even if the buffer overflow itself is not prevented.

Also, removal of TFTP.EXE (or blocking its execution via VSE 8.0i access protection) would prevent the vulnerable machine downloading the worm from an infected machine.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A