This application requires Javascript for optimal performance.

W32/Bozori.A!worm - Released Aug 16, 2005 - Last Updated Mar 31, 2006

Alias/es

Net-Worm.Win32.Bozori.a, W32.Zotob.E, W32/Bozori.A!net, W32/Tpbot-A, WORM_RBOT.CBQ

Detection Availability

	Active Database	Extended Database
FortiGate		low high
FortiClient
FortiMail		N/A

Visible Symptoms

A process named wintbp.exe runs in the system
It drops a copy of itself at the %system% directory named as "wintbp.exe"

Detailed Analysis

The virus is a PE file packed with UPX or Yoda.

Create a mutex named �wintbp.exe�.

It drops a copy of itself at the %system% directory named as "wintbp.exe" and removes the original file from the current directory

Creates an FTP server and listens on TCP port 69

Add the following registry entry:
      key:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
      value name: wintbp.exe
      value data: wintbp.exe

Attempts to exploit the LSASS Windows vulnerability on TCP port 445 using random IP address. If the worm successfully finds a vulnerable computer, it will upload the worm.

It connects to an IRC server 72.20.27.115 port 8080, and open an IRC backdoor port.

Recommended Action

FortiGate systems:

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

Patch

Download and install the patch for MS05-039 vulnerability.
URL: http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx

Reference: ID - 71825

Current Threat Level

Vulnerabilities

Virus/Spyware

Spam

PGP Keys

Contact Form

Copyright © 2011 Fortinet Inc. All Rights Reserved