Here are some details on the zotob worm (s) culled from several sources….
It copies itself to the Windows system folder as BOTZOR.EXE, it modifies the hosts file to frustrate attempts to access antivirus sites. The .b variant copies itself as csm.exe in the Windows System folder. Both variants create a Mutex so that only one copy can run at a time.
According to Sarc the .b variant adds
“csm Win Updates” = “csm.exe”
to the registry at two locations
so that it runs at Windows boot. It also modifies
“Start” = “4″
to the registry subkey:
disabling shared access.
It opens an ftp server on port 33333 (TCP), tries to connect to an IRC server to allow remote control of the PC, attempts to spread within the local subnet.
Also it drops 2pac.txt and haha.exe in the system folder.
The host file modifications are as follows:
11. …. Made By …. Greetz to good friend [REMOVED] in the next 24hours!!!
This covers a wide net of sites (Amazon Paypal Ebay) beyond the usual security/antivirus sites.
The only difference I can see between .a and .b is the name of the executable (botzor.exe and csm.exe)
Related PostsRelated Posts
- McAfee Antivirus gives Windows XP Autoimmune disorder.... Bad day for McAfee antivirus users..... It looks like the corporate users were bit the hardest. An update this morning basically detected svchost.exe as a virus and sent machines (Windows 7 not affected - but XP SP3 was...) into a perpetual reboot cycle. The fix requires manual intervention and some......
- So who is behind Windows Police Pro Virus / Rogue Security Software? As I've seen the continuing FLOOD of searches for some way to Remove Windows Police Pro, I've been starting to wonder at the who is behind this particular piece of junk software. These programs aren't written by your average ordinary virus writer, there is really too much spit and polish......
- 16,000 new viruses this year This is for all those people that say to me. "There haven't been any new viruses lately have there?" It's really amazing to me that people think if it's not on the national news it doesn't happen.... According to Pc Pro, Sophos has reported that 16000 new viruses have been......
- Learning about Investing I get asked by a lot of newbie investors about what to read. Rather than keep on searching and sending out the same list repeatedly, I decided to put it up online. Here's my list of the best investing books. You'll see some of the all time classics like Benjamin......
- 123 Bingo Online Online Bingo Online Bingo Started in December 2004, 123Bingoonline has been bringing online entertainment through fair play and transparency to bingo-enthusiasts. We provide online bingo, slots, keno, online blackjack, video poker, online roulette, craps and many other online casino games. We are a passionate team of over 100 employees......
- Club Med BOOK ONLINE Booking on our website is available 24 hours a day and offers a quick and easy way to book your holiday. Go directly to your Club Med Resort by using the ‘Direct access to resort page’ option at the top right of the homepage, or simply use......
- Anti phishing information (phighting phishing ?)
- Remove Personal Antivirus
- Zotob worm bites big media outlets
- New Beagle/Bagle variant?