FRISK Software International

Summary of W32/Zotob.D@mm
Discovered: 21 Aug 2005
Definition files: 21 Aug 2005
Risk Level: Medium
Infection Method:E-Mail, Network
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description

Like the C variant W32/Zotob.D infects using mass-mailing and via PnP exploit. The exploit is unmodified since the A variant so it can only infect systems running Windows 2000.

Technical Description

Unlike the other variants W32/Zotob.D is unpacked, it is also a 94.208 byte long PE executable.

Like the C variant it tries to trick the user into opening an infected e-mail attachment, the only difference being that this variant does this far more successfully. For example:

Dear [DOMAIN] Member,

We have temporarily suspended your email account [RECEIVER E-MAIL].

This might be due to either of the following reasons:

1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the details to reactivate your [DOMAIN] account.

Please also visit our irc server [REMOVED]
The [DOMAIN] Support Team

+++ Attachment: No Virus (Clean)
+++ [DOMAIN] Antivirus - www.[DOMAIN]

Also encouraging the recipient to visit them on their IRC server which we strongly advise against. Those of you who are familiar with W32/Mytob can probably spot that this variant has implemented the phising routine from W32/Mytob as the e-mails are almost identical to those of W32/Mytob.

It looks as if this variant may have a different author to the previous three. A message inside the worm suggests that the source code is in distribution.

In other areas the worm is like its predecessors, so the exploit can only be used to infect systems running Windows 2000.

Removal Instructions
For general removal instructions please click here.

rstur Snr Eisson

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)