W32/Zotob.B!worm

Alias/esCME-164, Net-Worm.Win32.Mytob.cf [KAV], W32.Zotob.B [NAV], W32/Zotob-B [Sophos], W32/Zotob.B [F-Prot], W32/Zotob.B!worm, W32/Zotob.B-wm, W32/Zotob.worm [McAfee], WORM_ZOTOB.B [Trend]
Release DateAug 14, 2005
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.323
CVECME-164
Description

Visible Symptoms

  • Creation of the file "csm.exe" into the System32 folder, with a file size of 15,386 bytes


  • CVE Reference: CAN-2005-1983


Detailed Analysis

  • This virus writes itself to the System32 folder as "csm.exe" and creates a Mutex named "B-O-T-Z-O-R" to prevent loading more than one instance

  • When this virus is run, it registers to load at Windows startup via the registry -

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    "csm Win Updates" = \csm.exe

    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    "csm Win Updates" = \csm.exe

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    "csm Win Updates" = \csm.exe

    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    "csm Win Updates" = \csm.exe

  • The virus will alter Internet Explorer registry settings -

    HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
    start = "4"

    Used to prevent Windows 2000/XP shared access

  • The virus blocks access attempts to various Antivirus and security vendor sites by modifying the "hosts." domain name resolution file; all modified site names are redirected back to the infected host; copy of modified "hosts" file below -

    www.symantec.com
    securityresponse.symantec.com
    symantec.com
    www.sophos.com
    sophos.com
    www.mcafee.com
    mcafee.com
    liveupdate.symantecliveupdate.com
    www.viruslist.com
    viruslist.com
    viruslist.com
    f-secure.com
    www.f-secure.com
    kaspersky.com
    kaspersky-labs.com
    www.avp.com
    www.kaspersky.com
    avp.com
    www.networkassociates.com
    networkassociates.com
    www.ca.com
    ca.com
    mast.mcafee.com
    my-etrust.com
    www.my-etrust.com
    download.mcafee.com
    dispatch.mcafee.com
    secure.nai.com
    nai.com
    www.nai.com
    update.symantec.com
    updates.symantec.com
    us.mcafee.com
    liveupdate.symantec.com
    customer.symantec.com
    rads.mcafee.com
    trendmicro.com
    pandasoftware.com
    www.pandasoftware.com
    www.trendmicro.com
    www.grisoft.com
    www.microsoft.com
    microsoft.com
    www.virustotal.com
    virustotal.com
    www.amazon.com
    www.amazon.co.uk
    www.amazon.ca
    www.amazon.fr
    www.paypal.com
    paypal.com
    moneybookers.com
    www.moneybookers.com
    www.ebay.com
    ebay.com

  • This virus contains the following text string but is not displayed -

    Botzor2005 Made By.... Greetz to good friend Coder. Based On HellBot3
    MSG to avs: The first av who detect this worm will be the first killed in the next 24hours! ! !

  • This virus binds to TCP port 33333 and can receive common FTP commands such as USER, PASS, SYST, REST, PWD, TYPE, PORT, RETR, QUIT and so on

  • The virus connects to the IRC server named "wait.atillaekici.net" using TCP port 8080 awaiting instructions from a hacker

  • The virus starts up to 200 processes to search for other computers using TCP port 445 - for each system found, the virus sends PnP exploit code to that system [an attack against pre-MS05-039 systems]
    • Description Last Updated Date: Aug 22, 2005
    Reference: ID - 71432