Net-Worm.Win32.Zotob.f

Category:	Internet Worm (Net-Worm)
Risk:	Medium
Length:	10'878 Bytes
Platform:	Windows 95, 98, Me, NT, 2000, Windows Server 2003, Windows XP
Aliases:	W32/Zotob-F (Sophos), Net-Worm.Win32.Bozori.b (KAV), W32.Zotob.F (Symantec)
Date discovered:	08/17/2005
Added to virus database:	08/17/2005
Modifications:	Net-Worm.Win32.Zotob.e
In-The-Wild / Epidemic:	Yes

Description

Net-Worm.Win32.Zotob.f is a worm and IRC backdoor Trojan for the Windows platform.

Net-Worm.Win32.Zotob.f spreads to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP (MS05-039).

Net-Worm.Win32.Zotob.f runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

When first run Net-Worm.Win32.Zotob.f copies itself to

%WINDOWSSYSTEM%\wintbpx.exe and

creates the following files:

%TEMP%\387.bat
%TEMP%\821.bat

These are batch files which attempt to remove the worm's file from the current folder.

The following registry entry is created to run wintbpx.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wintbpx.exe
wintbpx.exe

Worm attempts to terminate the following processes and delete the corresponding files:

wintbp.exe
svnlitup32.exe
service32.exe
mousebm.exe
llsrv.exe
pnpsrv.exe
winpnp.exe
csm.exe
system32.exe
botzor.exe
upnp.exe

Patches for the operating system vulnerabilities exploited by Net-Worm.Win32.Zotob.f can be obtained from Microsoft at:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx

Back to the virus-list