Zotob details



Here are some details on the zotob worm (s) culled from several sources….

It copies itself to the Windows system folder as BOTZOR.EXE, it modifies the hosts file to frustrate attempts to access antivirus sites. The .b variant copies itself as csm.exe in the Windows System folder. Both variants create a Mutex so that only one copy can run at a time.

According to Sarc the .b variant adds
“csm Win Updates” = “csm.exe”
to the registry at two locations

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices

so that it runs at Windows boot. It also modifies
“Start” = “4″

to the registry subkey:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccess
disabling shared access.

It opens an ftp server on port 33333 (TCP), tries to connect to an IRC server to allow remote control of the PC, attempts to spread within the local subnet.

Also it drops 2pac.txt and haha.exe in the system folder.

The host file modifications are as follows:

11. …. Made By …. Greetz to good friend [REMOVED] in the next 24hours!!!

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com

This covers a wide net of sites (Amazon Paypal Ebay) beyond the usual security/antivirus sites.

The only difference I can see between .a and .b is the name of the executable (botzor.exe and csm.exe)

News.com also has more coverage.

Related Posts

Blog Traffic Exchange Related Posts
  • McAfee Antivirus gives Windows XP Autoimmune disorder.... Bad day for McAfee antivirus users..... It looks like the corporate users were bit the hardest. An update this morning basically detected svchost.exe as a virus and sent machines (Windows 7 not affected - but XP SP3 was...) into a perpetual reboot cycle. The fix requires manual intervention and some......
  • Zero-day ( 0-day) Microsoft Word exploit There was some news on this last night at Incidents.org, today F-secure has some details as well on the trojan that's dropped in this circulating, exploit. It seems as though the initial attack was very targetted against a specific organization. Antivirus packages did not recognize the trojan that the exploit......
  • Disinfecting a PC... part 1 This is the first in a several part series documenting the cleaning of an infected PC. The only real noteworthy item is that it was a dial-up only connection and was rather infested for that. (On par with some of the broadband connected pc's I've seen. It's also an interesting......
Blog Traffic Exchange Related Websites
  • The Watch Co. The Watch Co. began in 1993 with one ambitious college student and a vision to offer a wide selection of watches along with incredible service and expertise. The Watch Co. is dedicated to customers who share our appreciation for a high-quality, well-designed timepiece. And because we're an authorized dealer......
  • Score Two Free Audiobooks with Audible.com’s TV Offer Audible.com, a subsidiary of Amazon, is currently offering a special deal in which new listeners can get two free audiobooks and a 30-day free trial gold membership under its special television offer (advertised as www.audible.com/tvoffer). The TV Offer from Audible is currently the best deal that Audible has available for......
  • Make Blogging Work for Your Business pt 2 Are you ready to make blogging work for your business? If you already know the benefits associated with corporate blogging, then the next step is to put these concepts to work by creating your own corporate blog and sharing your company with the world. This is part 2 in a......
en.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site