FRISK Software International


Summary of W32/Zotob.A
Alias:W32/Zotob.worm, Net-Worm.Win32.Mytob.cd
Discovered: 14 Aug 2005
Definition files: 14 Aug 2005
Risk Level: Medium
Distribution:Medium
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description

W32/Zotob.A spreads by exploiting a vulnerability in the recently reported (MS05-039) Plug and Play service in Windows. This worm infects only computers running Windows 2000. Apart from being a network worm, W32/Zotob.A is also a backdoor containing an IRC controlled bot that has the capability of downloading and executing a file.



Technical Description

A packed PE executable with a minimum size of 15.489 bytes, the file seems to append garbage bytes at the end as previously seen in W32/Mytob. However, the original sample 22.528 bytes in size.

Although it spreads by using a similar technique to W32/Sasser (spreading via network by exploiting an operating system vulnerability) W32/Zotob.A traces its origins back to W32/Mytob that is itself a descendant of W32/Mydoom. Like W32/Mytob, W32/Zotob.A is built with an IRC bot named HellBot3 (by the author) but differs in its spreading technique; W32/Mytob spreads via e-Mail while W32/Zotob.A uses the method described above.

During its installation, the worm copies itself to the system directory (usually located at C:\Winnt\System32 in Windows 2000) then makes sure it's executed on startup by adding the same value and data under the two following keys :

Key :
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

Value and data :
"WINDOWS SYSTEM" = "botzor.exe"

It then disables the Shared Access service by changing the registry value :

Key :
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]

Value and data :
from : "Start" = 2
to : "Start" = 4

The worm then makes sure it gives the user a hard time in accessing security related websites and a number of other popular websites. W32/Zotob.A adds the following lines into the host file located at %windir%\System32\drivers\etc\ :

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com

The worm then adds a greeting to a friend and a message to antivirus companies to the host file :

Botzor2005 Made By .... Greetz to good friend [REMOVED]. Based On HellBot3
MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!

For those who were worried there, it should be mentioned that no antivirus company has been hurt.

Now connecting to an IRC server the worm starts its infection routine and awaits its human master commands from the IRC server.

Containing not only an IRC bot the worm also can serve as a FTP server that it then uses to spread itself. The spreading routine is best explained by listing out its major functions:

  • It starts the build in FTP server, to serve the file haha.exe.

  • Then starts searching for computers who have port 445 open.

  • On finding one, it tries to exploit it by taking advantage of using the previously mentioned Plug and Play vulnerability.

  • If successful, the exploit binds a command prompt to a network port.

  • The worm then connects to that port sending several commands (that are mostly for creating a FTP script), then running the default FTP client and passing the FTP script to it. The now scripted FTP client connects to the FTP server on the infected computer and downloads the file haha.exe.

  • Finally it executes haha.exe.

The worm then starts the whole process again on a newly infected computer.

As the exploit was designed for Windows 2000 the worm is only able to infect computers running this operating system.



Removal Instructions
For general removal instructions please click here.

Ţröstur Snćr Eiđsson and Bjartmar Kristjánsson
 
Virus Info by Platform

Virus Info by Letter:

F-PROT Antivirus Alerts
Stay up to date with important developments via e-mail.
more...
Life cyle policy
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
more...
RSS News Feeds
Virus news and information directly to your desktop.
more...
Glossary of Terms
Definitions of common antivirus terminology.
more...
More Virus Info
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)