This application requires Javascript for optimal performance.

W32/Zotob.E!worm - Released Aug 16, 2005 - Last Updated Mar 13, 2007

Alias/es

Net-Worm.Win32.Bozori.a [KAV], W32.Zotob.E [NAV], W32/Bozori.540!net, W32/Bozori.A-net, W32/Bozori.A-wm, W32/IRCbot.worm!MS05-039 [McAfee], W32/Tpbot-A [Sophos], WORM_ZOTOB.E [Trend]

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • Possible firewall alert that the file "wintbp.exe" is attempting to access IP addresses using TCP port 445

  • Compromised systems are slow to respond due to heavy outbound traffic on TCP port 445 with other machines

  • Creation of the file "wintbp.exe" in the System32 folder on the infected system
     

Detailed Analysis

This packed threat is engineered to attack systems that are not yet updated with MS05-039 Security Bulletin Update from Microsoft. It attempts to connect to IP addresses and exploit targets using a vulnerability against PnP. This virus has backdoor capabilities as well.

One factor in the success of this virus is its small fingerprint, or file size. It is so far the smallest of the Zotob variants, allowing itself to run faster.

Loading at Windows startup
If run, this virus will copy itself to the System32 folder -

c:\WINNT\system32\wintbp.exe - {date and time of infection} - 10,366 bytes

It then registers itself to run at next Windows startup -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"wintbp.exe" = wintbp.exe

Network spreading routine
The virus will first bind with a high TCP port that functions as a backdoor. Next, the virus will attempt to connect with systems on the same Class A subnet as the infected system. The virus generates random IP addresses based on the infected system IP address, and spans across randomly selected Class B and Class C addresses.

For example, if the infected system has an IP address of 192.168.29.56 [using network address translation, or NAT], the virus may try to connect with random addresses such as these -

  • 192.168.1.71
  • 192.168.113.2
  • 192.168.44.50 and so on

The virus attempts to connect with the random system using TCP port 445. If a connection can be made, the virus uses a PnP exploit to gain access to the system. Once access is obtained, the virus opens a command shell whereby the virus initiates TFTP.EXE to retrieve a copy of the virus from the attacking system. The retrieved copy of the virus is then executed..

IRC Remote Command functionality
The virus will create a thread to connect with an IRC channel server as a line of communication and instruction to the virus, using a TCP port 8080. The virus connects with the IRC server '72.20.27.115' in order to receive instructions from a malicious user.

Miscellaneous
While running on a compromised system, this virus creates up to 200 threads, each scanning for vulnerable systems. This also contributed to its higher prevalence.

Recommended Action

  • disable access to TCP port 69 [TFTP service port]

  • disable access from external to internal for TCP ports 139, 445

  • add the IP address '72.20.27.115' the list of blocked URLs

  • Install MS05-039 Security Bulletin Update and all current security updates

  • If a system is already infected

    • disconnect infected system from the Internet

    • end the virus process running in memory "wintbp.exe"

    • delete the virus file "wintbp.exe" from the System32 folder

    • (optional) remove the registry entry related to "wintbp.exe"

  • FortiGate systems:

    • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option


Reference: ID - 152948