W32/Zotob.A!worm

Alias/esCME-243, Net-Worm.Win32.Mytob.cd [KAV], W32.Zotob.A [NAV], W32/Zotob-A [Sophos], W32/Zotob.A [F-Prot], W32/Zotob.A!worm, W32/Zotob.worm [McAfee], WORM_ZOTOB.A [Trend]
Release DateAug 14, 2005
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.338
CVECME-243
Description

Visible Symptoms

  • Possible firewall alert that the file "botzor.exe" is connecting to the network

  • Compromised systems are slow to respond due to heavy outbound traffic on TCP port 445 with other machines

  • Creation of these files on the infected system

    c:\WINNT\system32\botzor.exe (22,528 bytes) - W32/RBot.AKM-tr
    c:\WINNT\system32\pnpsrv.exe (267,264 bytes) - copy of Zotob
    c:\WINNT\system32\SVKP.sys (2,368 bytes) - service helper

Detailed Analysis

This packed threat is engineered to attack systems that are not yet updated with MS05-039 Security Bulletin Update from Microsoft. It attempts to connect to IP addresses and exploit targets using a vulnerability against PnP. This virus has backdoor capabilities as well.

Loading at Windows startup
If run, this virus will copy itself to the System32 folder -

c:\WINNT\system32\pnpsrv.exe
Date: 12/7/1999 5:00 AM
Size: 267,264 bytes

c:\WINNT\system32\SVKP.sys
{time of infection}
Size: 2,368 bytes

It then registers itself to run as a service -

HKEY_CURRENT_USER\Software\Microsoft\OLE
"Windows PNP Server" = pnpsrv.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"Windows PNP Server" = pnpsrv.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
"Windows PNP Server" = pnpsrv.exe
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
"Windows PNP Server" = pnpsrv.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
"Windows PNP Server" = pnpsrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Windows PNP Server" = pnpsrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"Windows PNP Server" = pnpsrv.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
"Windows PNP Server" = pnpsrv.exe
"DisplayName" = SVKP
"ErrorControl" = 01, 00, 00, 00
"ImagePath" = C:\WINNT\System32\SVKP.sys
"Start" = 02, 00, 00, 00
"Type" = 01, 00, 00, 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SVKP\Enum
"0" = Root\LEGACY_SVKP\0000
"Count" = 01, 00, 00, 00
"NextInstance" = 01, 00, 00, 00
"Security" = [hex values]

Network spreading routine
The virus will first bind with a high TCP port that functions as an FTP server. Next, the virus will attempt to connect with systems on the same Class A subnet as the infected system. The virus generates random IP addresses based on the infected system IP address, and spans across randomly selected Class B and Class C addresses.

For example, if the infected system has an IP address of 192.168.29.56 [using network address translation, or NAT], the virus may try to connect with random addresses such as these -

  • 192.168.1.71
  • 192.168.113.2
  • 192.168.44.50 and so on

This virus uses numerous imports from system dynamic link library (.DLL) executables in order to achieve its goal of connecting to other systems.

shell32.dll -
ShellExecuteA

mpr.dll -
WNetCancelConnection, WNetAddConnection

iphlpapi.dll -
DeleteIpNetEntry, GetIpNetTable

dnsapi.dll -
DnsFlushResolverCacheEntry_A, DnsFlushResolverCache

netapi32.dll -
NetMessageBufferSend, NetUserGetInfo, NetUserEnum, NetUserDel, NetUserAdd, NetRemoteTOD,
NetApiBufferFree, NetScheduleJobAdd, NetShareEnum, NetShareDel, NetShareAdd

wininet.dll -
InternetCloseHandle, InternetReadFile, InternetCrackUrlA, InternetOpenUrlA, InternetOpenA, InternetConnectA, HttpSendRequestA, HttpOpenRequestA, InternetGetConnectedStateEx,
InternetGetConnectedState

The virus attempts to connect with the random system using TCP port 445. If a connection can be made, the virus uses a PnP exploit to gain access to the system. Once access is obtained, the virus generates an FTP script and writes it to the system. The virus then initiates FTP.EXE locally on the compromised system to retrieve a copy of the virus from the connecting system, and execute it.

IRC Remote Command functionality
The virus will bind with TCP port 113 [identd service] and listen for connection attempts - this essentially allows the virus to perform as a remote access Trojan.

The virus will create a thread to connect with an IRC channel server as a line of communication and instruction to the virus, using a TCP port 33333. The virus connects with the IRC server 'l33t.freeshellz.org' in order to receive instructions from a malicious user. Instructions include some of the following -

2K3
action
addalias
advscan
aliases
c_action
c_privmsg
c_rn
c_rndnick
cip
clearlog
clone
clonestop
cmdstop
currentip
ddos.ack
ddos.random
ddos.stop
ddos.syn
delay
die
disconnect
driveinfo
execute
farp
fdns 		findfilestop
flusharp
flushdns
getclip
gethost
httpstop
icmpflood
join
killthread
log
logout
logstop
netinfo
nick
ocmd
opencmd
part
pingflood
pingstop
privmsg
procsstop
psstop
quit
raw
reboot
reconnect
redirectstop
remover
rename
repeat
rndnick
scanall
scanstats
scanstop
securestop
skysyn
status
synflood
synstop
sysinfo
tcp
tcpflood
testdlls
tftpstop
threads
udpflood
udpstop
updater
upload
uptime
version
who

While connected to the IRC server, status messages are sent to the channel #niggaz with the following types of information -

[IDENTD]: Server running on Port: 113.
[MAIN]: Bot started.
[CMD]: Remote shell ready.
[CMD]: Couldn't open remote shell.
[CMD]: Remote shell already running.
[FLUSHDNS]: Failed to flush ARP cache.
[FLUSHDNS]: ARP cache flushed.
[FLUSHDNS]: Failed to load dnsapi.dll.
[FLUSHDNS]: Failed to flush DNS cache.
[FLUSHDNS]: DNS cache flushed.

HOSTS modification routine
This virus could install another IRC channel bot / backdoor Trojan (known as W32/RBot.AKM-tr). This Trojan alters the local "HOSTS" file in an effort to block access to Antivirus and security related web addresses. The virus overwrites the "HOSTS" file with misconfigured information so that attempts to reach certain addresses resolve to the IP 127.0.0.1, also known as "localhost". Below is a copy of a modified HOSTS file -

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com

Miscellaneous
While running on a compromised system, this virus creates a Mutex named 'SKY2K4' to prevent multiple copies from running on an infected system.

Description Last Updated Date: Aug 16, 2005
Reference: ID - 71286