«
»

Zotob details



Here are some details on the zotob worm (s) culled from several sources….

It copies itself to the Windows system folder as BOTZOR.EXE, it modifies the hosts file to frustrate attempts to access antivirus sites. The .b variant copies itself as csm.exe in the Windows System folder. Both variants create a Mutex so that only one copy can run at a time.

According to Sarc the .b variant adds
“csm Win Updates” = “csm.exe”
to the registry at two locations

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices

so that it runs at Windows boot. It also modifies
“Start” = “4″

to the registry subkey:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccess
disabling shared access.

It opens an ftp server on port 33333 (TCP), tries to connect to an IRC server to allow remote control of the PC, attempts to spread within the local subnet.

Also it drops 2pac.txt and haha.exe in the system folder.

The host file modifications are as follows:

11. …. Made By …. Greetz to good friend [REMOVED] in the next 24hours!!!

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com

This covers a wide net of sites (Amazon Paypal Ebay) beyond the usual security/antivirus sites.

The only difference I can see between .a and .b is the name of the executable (botzor.exe and csm.exe)

News.com also has more coverage.

Popularity: 1% [?]

Free PDF    Send article as PDF   
Blog Traffic Exchange Related Posts
  • Different attitudes towards upgrading and developing software So many times, even in the last few days, I have talked about keeping software up-to-date. For many people that means upgrading to the latest version of windows as soon as it comes out, or Office, or well... fill in the blank. It's a vicious cycle when you think about......
  • 16,000 new viruses this year This is for all those people that say to me. "There haven't been any new viruses lately have there?" It's really amazing to me that people think if it's not on the national news it doesn't happen.... According to Pc Pro, Sophos has reported that 16000 new viruses have been......
  • Profiteering and scams after Katrina It's worth warning that there will be a number of sham organizations and individuals looking to profit off the misery of others after the recent hurricane. The security fix has a posting on just that. Katrinahelp.com, www.katrinadonations.com and www.katrinarelief.com appear suspect in his first writing. It's importan to note that......
Blog Traffic Exchange Related Websites
  • Poker Time Get a 100% match bonus up to $200 If you're a poker fan, then there's no better place to wager your stake than at PokerTime. Whether you are a beginner or pro, you'll thoroughly enjoy the wide selection of games that this action-packed poker room has to offer. At......
  • Spookley: Celebrate Halloween With This Special Square Pumpkin Halloween is quickly approaching and it’s always to find new ways of celebrating. Are you familiar with Spookley? Spookley is great Halloween story about a square pumpkin that learns the thing that makes you different makes you special. On Halloween after all the trick or treating end the night......
  • Rancho Solano Golf Course Ranch Solano Golf Course is located in Fairfield, CA Phone: 707-429-4653 Website: http://www.fairfieldgolf.com Course History: Rancho Solano is one of the two best courses in Fairfield, CA. It features a Par 72 course stretched out over more than 6,000 yards of playable space. It was designed by Gary Roger Baird......

Similar Posts


This entry was posted on Monday, August 15th, 2005 at 12:49 pm and is filed under Computers, Security, Viruses. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.

See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.

Switch to our mobile site