This application requires Javascript for optimal performance.

W32/Bozori.A!worm - Released Aug 16, 2005 - Last Updated Mar 31, 2006

Alias/es

Net-Worm.Win32.Bozori.a, W32.Zotob.E, W32/Bozori.A!net, W32/Tpbot-A, WORM_RBOT.CBQ

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • A process named wintbp.exe runs in the system
  • It drops a copy of itself at the %system% directory named as "wintbp.exe"

Detailed Analysis

  • The virus is a PE file packed with UPX or Yoda.

  • Create a mutex named “wintbp.exe”.

  • It drops a copy of itself at the %system% directory named as "wintbp.exe" and removes the original file from the current directory

  • Creates an FTP server and listens on TCP port 69

  • Add the following registry entry:
          key:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
          value name: wintbp.exe
          value data: wintbp.exe

  • Attempts to exploit the LSASS Windows vulnerability on TCP port 445 using random IP address. If the worm successfully finds a vulnerable computer, it will upload the worm.


  • It connects to an IRC server 72.20.27.115 port 8080, and open an IRC backdoor port.

Recommended Action

    FortiGate systems:

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option

  • Patch

  • Download and install the patch for MS05-039 vulnerability.
      URL: http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx


Reference: ID - 71825