W32/Zotob.E!worm

Alias/esNet-Worm.Win32.Bozori.a [KAV], W32.Zotob.E [NAV], W32/Bozori.540!net, W32/Bozori.A-net, W32/Bozori.A-wm, W32/IRCbot.worm!MS05-039 [McAfee], W32/Tpbot-A [Sophos], WORM_ZOTOB.E [Trend]
Release DateFeb 16, 2006
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.339
Description

Visible Symptoms

  • Possible firewall alert that the file "wintbp.exe" is attempting to access IP addresses using TCP port 445

  • Compromised systems are slow to respond due to heavy outbound traffic on TCP port 445 with other machines

  • Creation of the file "wintbp.exe" in the System32 folder on the infected system
     

Detailed Analysis

This packed threat is engineered to attack systems that are not yet updated with MS05-039 Security Bulletin Update from Microsoft. It attempts to connect to IP addresses and exploit targets using a vulnerability against PnP. This virus has backdoor capabilities as well.

One factor in the success of this virus is its small fingerprint, or file size. It is so far the smallest of the Zotob variants, allowing itself to run faster.

Loading at Windows startup
If run, this virus will copy itself to the System32 folder -

c:\WINNT\system32\wintbp.exe - {date and time of infection} - 10,366 bytes

It then registers itself to run at next Windows startup -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"wintbp.exe" = wintbp.exe

Network spreading routine
The virus will first bind with a high TCP port that functions as a backdoor. Next, the virus will attempt to connect with systems on the same Class A subnet as the infected system. The virus generates random IP addresses based on the infected system IP address, and spans across randomly selected Class B and Class C addresses.

For example, if the infected system has an IP address of 192.168.29.56 [using network address translation, or NAT], the virus may try to connect with random addresses such as these -

  • 192.168.1.71
  • 192.168.113.2
  • 192.168.44.50 and so on

The virus attempts to connect with the random system using TCP port 445. If a connection can be made, the virus uses a PnP exploit to gain access to the system. Once access is obtained, the virus opens a command shell whereby the virus initiates TFTP.EXE to retrieve a copy of the virus from the attacking system. The retrieved copy of the virus is then executed..

IRC Remote Command functionality
The virus will create a thread to connect with an IRC channel server as a line of communication and instruction to the virus, using a TCP port 8080. The virus connects with the IRC server '72.20.27.115' in order to receive instructions from a malicious user.

Miscellaneous
While running on a compromised system, this virus creates up to 200 threads, each scanning for vulnerable systems. This also contributed to its higher prevalence.

Description Last Updated Date: Mar 13, 2007
Reference: ID - 152948