This application requires Javascript for optimal performance.

W32/Zotob.C@mm - Released Aug 15, 2005 - Last Updated Oct 05, 2005

Alias/es CME-581, Net-Worm.Win32.Mytob.ch [KAV], W32.Zotob.C@mm [NAV], W32/Zotob.C-net, W32/Zotob.C@mm, W32/Zotob.worm [McAfee], WORM_ZOTOB.C [Trend]
CVE CME-581
Visible Symptoms Creation of the file "per.exe" into the System32 folder, with a file size of 31,744 bytes
Detailed Analysis * This virus writes itself to the System32 folder as "per.exe" and creates a Mutex named "B-O-T-Z-O-R" to prevent loading more than one instance * When this virus is run, it registers to load at Windows startup via the registry - HKCU\Software\Microsoft\Windows\CurrentVersion\Run "WINDOWS SYSTEM" = \per.exe HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices "WINDOWS SYSTEM" = \per.exe HKLM\Software\Microsoft\Windows\CurrentVersion\Run "WINDOWS SYSTEM" = \per.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices "WINDOWS SYSTEM" = \per.exe * The virus will alter Internet Explorer registry settings - HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess start = "4" Used to prevent Windows 2000/XP shared access * The virus blocks access attempts to various Antivirus and security vendor sites by modifying the "hosts." domain name resolution file; all modified site names are redirected back to the infected host; copy of modified "hosts" file below - www.symantec.com securityresponse.symantec.com symantec.com www.sophos.com sophos.com www.mcafee.com mcafee.com liveupdate.symantecliveupdate.com www.viruslist.com viruslist.com viruslist.com f-secure.com www.f-secure.com kaspersky.com kaspersky-labs.com www.avp.com www.kaspersky.com avp.com www.networkassociates.com networkassociates.com www.ca.com ca.com mast.mcafee.com my-etrust.com www.my-etrust.com download.mcafee.com dispatch.mcafee.com secure.nai.com nai.com www.nai.com update.symantec.com updates.symantec.com us.mcafee.com liveupdate.symantec.com customer.symantec.com rads.mcafee.com trendmicro.com pandasoftware.com www.pandasoftware.com www.trendmicro.com www.grisoft.com www.microsoft.com microsoft.com www.virustotal.com virustotal.com www.amazon.com www.amazon.co.uk www.amazon.ca www.amazon.fr www.paypal.com paypal.com moneybookers.com www.moneybookers.com www.ebay.com ebay.com * This virus contains the following text string but is not displayed - msn: Botzor2 pnp+asn+mail spread. Greetz to good friend Coder. Based On HellBot3 F-secure, sophos ok wait bitchs! ! ! * This virus binds to TCP port 33333 and can receive common FTP commands such as USER, PASS, SYST, REST, PWD, TYPE, PORT, RETR, QUIT and so on * The virus connects to the IRC server named "diabl0.turkcoders.net" using TCP port 8080 awaiting instructions from a hacker * The virus starts up to 200 processes to search for other computers using TCP port 445 - for each system found, the virus sends PnP exploit code to that system [an attack against pre-MS05-039 systems] * If an attack is successful against the target, the infected system binds with TCP port 8888 and awaits hacker instructions * This virus can spread to other systems using its own SMTP code engine - the virus gathers email addresses from the usual suspects (files that end in these extensions) - '* txt', '* htmb', '* shtl', '* jspl' '* cgil', '* xmls', '* phpq', '* aspd' '* dbxn', '* tbbg', '* adbh', '* pl' '* html', '* wab' * The virus avoids using names that have these strings - Abuse, security, admin, support, contact, webmaster, Info, samples, postmaster, webmaster, noone, nobody, Nothing, anyone, someone, your, you, me, bugs, Rating, site, contact, soft, no, somebody, privacy, Service, help, not, submit, feste, ca, gold-certs, The.bat, page, Syma, icrosof, msn., hotmail, panda, sopho, borlan, inpris, Example, mydomai, nodomai, ruslis, gov, gov., mil, foo., Unix, math, bsd, mit.e, gnu, fsf., ibm.com, google, Kernel, linux, fido, usenet, iana, ietf, rfc-ed, Sendmail, arin., ripe., isi.e, isc.o, secur, acketst, Pgp, tanford.e, utgers.ed, mozilla, icrosoft, support, Ntivi, unix, bsd, linux, listserv, certific, google, accoun * the virus spoofs the "sender" email address and uses any of these names as a sender "From" - "john", "josh", "alex", "michael", "james", "mike", "kevin", "david", "george", "sam", "andrew", "jose", "leo", "maria", "jim", "brian", "serg", "mary", "ray", "tom", "peter", "robert", "bob", "jane", "joe", "dan", "dave", "matt", "steve", "smith", "stan", "bill", "bob", "jack", "fred", "ted", "paul", "brent", "sales", "anna", "brenda", "claudia", "debby", "helen", "jerry", "jimmy", "julie", "linda", "michael", "frank", "adam", "barbara", "erik", "contact", "sandra" * the virus creates emails with any of the following subject lines - Warning! ! Warning Hello Confirmed... Important! * the virus uses any of these as inserted body text into the new message - Looooool We found a photo of you in... That's your photo! ! ? Hey! ! 0K here is it! * The virus will have a name such as these - Photo Your_photo Image Picture Sample Loool Webcam_photo with one of these extensions - Pif, scr, exe, cmd, bat
Recommended Action FortiGate systems: check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option

Reference: ID - 71733

Current Threat Level

Vulnerabilities

Virus/Spyware

Spam

PGP Keys

Contact Form

Copyright © 2011 Fortinet Inc. All Rights Reserved