Zotob details



Here are some details on the zotob worm (s) culled from several sources….

It copies itself to the Windows system folder as BOTZOR.EXE, it modifies the hosts file to frustrate attempts to access antivirus sites. The .b variant copies itself as csm.exe in the Windows System folder. Both variants create a Mutex so that only one copy can run at a time.

According to Sarc the .b variant adds
“csm Win Updates” = “csm.exe”
to the registry at two locations

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices

so that it runs at Windows boot. It also modifies
“Start” = “4″

to the registry subkey:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccess
disabling shared access.

It opens an ftp server on port 33333 (TCP), tries to connect to an IRC server to allow remote control of the PC, attempts to spread within the local subnet.

Also it drops 2pac.txt and haha.exe in the system folder.

The host file modifications are as follows:

11. …. Made By …. Greetz to good friend [REMOVED] in the next 24hours!!!

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com

This covers a wide net of sites (Amazon Paypal Ebay) beyond the usual security/antivirus sites.

The only difference I can see between .a and .b is the name of the executable (botzor.exe and csm.exe)

News.com also has more coverage.

Related Posts

Blog Traffic Exchange Related Posts
  • McAfee Antivirus gives Windows XP Autoimmune disorder.... Bad day for McAfee antivirus users..... It looks like the corporate users were bit the hardest. An update this morning basically detected svchost.exe as a virus and sent machines (Windows 7 not affected - but XP SP3 was...) into a perpetual reboot cycle. The fix requires manual intervention and some......
  • Zero-day ( 0-day) Microsoft Word exploit There was some news on this last night at Incidents.org, today F-secure has some details as well on the trojan that's dropped in this circulating, exploit. It seems as though the initial attack was very targetted against a specific organization. Antivirus packages did not recognize the trojan that the exploit......
  • 16,000 new viruses this year This is for all those people that say to me. "There haven't been any new viruses lately have there?" It's really amazing to me that people think if it's not on the national news it doesn't happen.... According to Pc Pro, Sophos has reported that 16000 new viruses have been......
Blog Traffic Exchange Related Websites
  • Make Blogging Work for Your Business pt 2 Are you ready to make blogging work for your business? If you already know the benefits associated with corporate blogging, then the next step is to put these concepts to work by creating your own corporate blog and sharing your company with the world. This is part 2 in a......
  • Liquor-Gift-Deliveries Click Here To Enter Merchant Website Send Liquor Gifts for Birthdays, Thanks, Congratulations, New Years,Holidays, Engagements, Weddings, Anniversaries, Mothers Day, Fathers Day, etc. Liquor deliveries are also ideal for corporate and executive gifts.Often within only hours, most orders can be delivered to the home or office of your gift......
  • Score Two Free Audiobooks with Audible.com’s TV Offer Audible.com, a subsidiary of Amazon, is currently offering a special deal in which new listeners can get two free audiobooks and a 30-day free trial gold membership under its special television offer (advertised as www.audible.com/tvoffer). The TV Offer from Audible is currently the best deal that Audible has available for......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site