FRISK Software International

Summary of W32/Zotob.C@mm
Discovered: 15 Aug 2005
Definition files: 15 Aug 2005
Risk Level: Medium
Infection Method:E-Mail, Network
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description

The worm is very similar to its predecessors, except for an added mass-mailing infection routine. This enables the worm to infect more versions of Windows using e-mails, but still it is only able to successfully exploit Windows 2000.

Technical Description

Packed PE executable like before, it has the minimum size of 29.548 bytes, which is twice as large as the variants before.

Gaining a mass-mailing routine, the worm is a step closer to W32/Mytob than previous variants. This allows the worm to infect more versions of Windows as previously stated in the brief description.

It uses spoofing to trick the user into opening the infected e-mail. For that purpose it contains lists of possible subjects, content, filenames (for attachment) and senders :

Possible subjects :
  • Confirmed...
  • Hello
  • Important!
  • Warning!!
  • **Warning**
Possible e-mail content :
  • 0K here is it!
  • hey!!
  • looooool
  • That's your photo!!?
  • We found a photo of you in ...
Possible attachment name :
  • image
  • loool
  • photo
  • picture
  • sample
  • webcam_photo
  • your_photo
Possible attachment extensions :
  • PIF, SCR, EXE, CMD and BAT.
Possible senders (domains are harvested from the infected computer) :
  • abuse
  • accoun
  • admin
  • administrator
  • anyone
  • bsd
  • bugs
  • ca
  • certific
  • contact
  • feste
  • gold-certs
  • google
  • help
  • icrosoft
  • info
  • linux
  • listserv
  • me
  • no
  • nobody
  • noone
  • not
  • nothing
  • ntivi
  • page
  • postmaster
  • privacy
  • rating
  • root
  • samples
  • secur
  • security
  • service
  • site
  • soft
  • somebody
  • someone
  • spam
  • spm
  • submit
  • support
  • the.bat
  • unix
  • webmaster
  • www
  • you
  • your

Using the same shell code for the exploit as before, the worm can only infect Windows 2000 using that method.

Removal Instructions
For general removal instructions please click here.

rstur Snr Eisson

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)