W32/Bozori.A!worm

Alias/esNet-Worm.Win32.Bozori.a, W32.Zotob.E, W32/Bozori.A!net, W32/Tpbot-A, WORM_RBOT.CBQ
Release DateAug 16, 2005
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.339
Description

Visible Symptoms

  • A process named wintbp.exe runs in the system
  • It drops a copy of itself at the %system% directory named as "wintbp.exe"

Detailed Analysis

  • The virus is a PE file packed with UPX or Yoda.

  • Create a mutex named “wintbp.exe”.

  • It drops a copy of itself at the %system% directory named as "wintbp.exe" and removes the original file from the current directory

  • Creates an FTP server and listens on TCP port 69

  • Add the following registry entry:
          key:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
          value name: wintbp.exe
          value data: wintbp.exe

  • Attempts to exploit the LSASS Windows vulnerability on TCP port 445 using random IP address. If the worm successfully finds a vulnerable computer, it will upload the worm.


  • It connects to an IRC server 72.20.27.115 port 8080, and open an IRC backdoor port.

Description Last Updated Date: Mar 31, 2006
Reference: ID - 71825