A packed PE executable with a minimum size of 15.489 bytes, the file seems to append garbage bytes at the end as previously seen in W32/Mytob. However, the original sample 22.528 bytes in size.
Although it spreads by using a similar technique to W32/Sasser (spreading via network by exploiting an operating system vulnerability) W32/Zotob.A traces its origins back to W32/Mytob that is itself a descendant of W32/Mydoom. Like W32/Mytob, W32/Zotob.A is built with an IRC bot named HellBot3 (by the author) but differs in its spreading technique; W32/Mytob spreads via e-Mail while W32/Zotob.A uses the method described above.
During its installation, the worm copies itself to the system directory (usually located at C:\Winnt\System32 in Windows 2000) then makes sure it's executed on startup by adding the same value and data under the two following keys :
Value and data :
"WINDOWS SYSTEM" = "botzor.exe"
It then disables the Shared Access service by changing the registry value :
Value and data :
from : "Start" = 2
to : "Start" = 4
The worm then makes sure it gives the user a hard time in accessing security related websites and a number of other popular websites. W32/Zotob.A adds the following lines into the host file located at %windir%\System32\drivers\etc\ :
The worm then adds a greeting to a friend and a message to antivirus companies to the host file :
Botzor2005 Made By .... Greetz to good friend [REMOVED]. Based On HellBot3
MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!
For those who were worried there, it should be mentioned that no antivirus company has been hurt.
Now connecting to an IRC server the worm starts its infection routine and awaits its human master commands from the IRC server.
Containing not only an IRC bot the worm also can serve as a FTP server that it then uses to spread itself. The spreading routine is best explained by listing out its major functions:
It starts the build in FTP server, to serve the file haha.exe.
Then starts searching for computers who have port 445 open.
On finding one, it tries to exploit it by taking advantage of using the previously mentioned Plug and Play vulnerability.
If successful, the exploit binds a command prompt to a network port.
The worm then connects to that port sending several commands (that are mostly for creating a FTP script), then running the default FTP client and passing the FTP script to it. The now scripted FTP client connects to the FTP server on the infected computer and downloads the file haha.exe.
Finally it executes haha.exe.
The worm then starts the whole process again on a newly infected computer.
As the exploit was designed for Windows 2000 the worm is only able to infect computers running this operating system.