Zotob details



Here are some details on the zotob worm (s) culled from several sources….

It copies itself to the Windows system folder as BOTZOR.EXE, it modifies the hosts file to frustrate attempts to access antivirus sites. The .b variant copies itself as csm.exe in the Windows System folder. Both variants create a Mutex so that only one copy can run at a time.

According to Sarc the .b variant adds
“csm Win Updates” = “csm.exe”
to the registry at two locations

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices

so that it runs at Windows boot. It also modifies
“Start” = “4″

to the registry subkey:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccess
disabling shared access.

It opens an ftp server on port 33333 (TCP), tries to connect to an IRC server to allow remote control of the PC, attempts to spread within the local subnet.

Also it drops 2pac.txt and haha.exe in the system folder.

The host file modifications are as follows:

11. …. Made By …. Greetz to good friend [REMOVED] in the next 24hours!!!

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com

This covers a wide net of sites (Amazon Paypal Ebay) beyond the usual security/antivirus sites.

The only difference I can see between .a and .b is the name of the executable (botzor.exe and csm.exe)

News.com also has more coverage.

Related Posts

Blog Traffic Exchange Related Posts
  • Zero-day ( 0-day) Microsoft Word exploit There was some news on this last night at Incidents.org, today F-secure has some details as well on the trojan that's dropped in this circulating, exploit. It seems as though the initial attack was very targetted against a specific organization. Antivirus packages did not recognize the trojan that the exploit......
  • How to Remove Anti-Virus Elite | Anti-Virus Elite Removal Guide Anti-Virus Elite is a rogue antivirus application. These rogue antivirus applications pose as a legitimate security application, but in reality is a scam to try to trick you out of money. They will find and claim that there are multiple security problems with your computer. They will claim that you......
  • Profiteering and scams after Katrina It's worth warning that there will be a number of sham organizations and individuals looking to profit off the misery of others after the recent hurricane. The security fix has a posting on just that. Katrinahelp.com, www.katrinadonations.com and www.katrinarelief.com appear suspect in his first writing. It's importan to note that......
Blog Traffic Exchange Related Websites
  • 123 Bingo Online Online Bingo Online Bingo Started in December 2004, 123Bingoonline has been bringing online entertainment through fair play and transparency to bingo-enthusiasts. We provide online bingo, slots, keno, online blackjack, video poker, online roulette, craps and many other online casino games. We are a passionate team of over 100 employees......
  • How to Relocate your Wordpress Blog to a New Domain Name Making the decision to move my blog from http://www.courseladder.com to http://www.golfballdriver.com was a big one, and a good one, and it taught me a lot about learning how to relocate your Wordpress blog to a new domain name under the same hosting provider. Course Ladder suited me for a while,......
  • Make Blogging Work for Your Business pt 2 Are you ready to make blogging work for your business? If you already know the benefits associated with corporate blogging, then the next step is to put these concepts to work by creating your own corporate blog and sharing your company with the world. This is part 2 in a......
en.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site