Esbot and Zotob updates….



Wednesday afternoon and Esbot is up to revision .B, Zotob is up to G according to Sarc (Symantec antivirus research). They have appropriate removal tools and details on affected systems there. Meanwhile the Sans institute (incidents.org) has a rundown of the latest in todays handlers diary.



They also explain why they’re still at infocon Green (as opposed to yellow over the weekend.)

Among the details they’ve gleaned from the zotob advisories….

Zotob.A

Executable size: 22,528 bytes
Executable Name: botzor.exe
Ports: TCP – 445,8080,33333

Aliases: Zotob.A [F-Secure], W32/Zotob.worm [McAfee], W32/Zotob-A [Sophos], WORM_ZOTOB.A [Trend]

Other details – Opens FTP server on port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.B
Executable size: 27,648 bytes
Executable Name: csm.exe
Ports: TCP – 445,8080,33333

Aliases: Zotob.B [F-Secure] W32/Zotob.worm.b [McAfee] W32/Zotob-B [Sophos]
WORM_ZOTOB.B [Trend Micro]

Other details – Opens FTP server on port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.C

Executable size: 41,984 bytes
Executable Name: per.exe
Ports: TCP – 445,8080,33333

Other details – Mass-mailing worm uses a predefined list of recipient names appending the domain names that it gathers from an infected computer. Contains its own SMTP engine to email to the addresses that it finds. Opens FTP server on port 33333, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.D

Executable size: 51,326 bytes
Executable name: windrg32.exe
Ports: TCP – 6667,1117,445

Other details – Opens FTP server on port 11173, attempts to end a variety of processes , Modifies the registry and deletes a variety of registry entries, and deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.E

Executable size: 10,366 bytes
Executable Name: wintbp.exe
Ports: TCP – 8594,8080,445, UDP – 69
Aliases: WORM_RBOT.CBQ [Trend Micro]

Other details – Opens TFTP server on port UDP 69, Connects to IRC server at 72.20.27.115 on TCP port 8080 to listen for update instructions, adds itself to the run in the registry.

Zotob.F

Executable size: 10,878 bytes
Executable name: wintbpx.exe Portls: TCP –445

Other details – Opens multiple TCP ports. Connects to IRC server at 72.20.41.139 to listen for update instructions, adds itself to the run in the registry, creates a file named %Temp%[NUMBER] which if successful contains TFTP scripts to download additional files.

Zotob.G

Executable size: 73,728 bytes
Executable name: windrg32.exe
Ports: TCP –445,6667,1171
Aliases: W32.Drudebot.A

Other details – Attempts to connect IRC servers on port 6667, Opens a TFTP server on port 1171, attempts to end a variety of processes , Modifies the registry and deletes a variety of registry entries, and deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry, creates a file named %Temp%[NUMBER] which if successful contains TFTP scripts to download additional files. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Related Posts

Blog Traffic Exchange Related Posts
  • Windows Police Pro Yes folks, it's Windows Police Pro, the gift that keeps on giving apparently. It's crawled back into Googles top searches tonight. If you want to see how to remove it look at Windows Police Pro Removal, you may be interested in Who is behind Windows Police Pro and probably will......
  • How to Remove Desktop Security 2010 | Desktop Security 2010 Removal Guide Desktop Security 2010 is a rogue antivirus application. It is a successor to Total PC Defender and installs on your pc without permission through the use of malware. Once on your system it will create numerous files that it then finds during scheduled scans and it claims these files are......
  • Network Security guide for the home or small business network - Part 2 - A Software Firewall Do I really need a hardware firewall? I'm running XP Service Pack 2 with the built in firewall? (or norton, or zonealarm?) Well, personal firewalls (the name that software firewalls go by) are good for a great many things that hardware firewalls AREN'T. They do have their limitations though and......
Blog Traffic Exchange Related Websites
  • Application Virtualization with ThinApp (formerly Thinstall) I don't know why this is not getting more attention.  VMware and Landesk's Thinstall (now called ThinApp) has been out for close to two years now and I continue to be surprised that it is not more widely adopted. It is a great product that really lives up to the......
  • Triathlon Terms Here is a brief glossary of terms used in triathlon training and triathlon racing. 70.3 - This term is used to describe a Half Ironman race distance, which is a 1.2 mile swim, a 56 mile bike an 13.1 mile run. 140.6 - This term is used to describe an......
  • Open Office Would you like to have an office suite of software, similar to Microsoft Office and compatible with it's file formats, but without the price tag? OK, so that's a no-brainer; of course you would. Well, Open Office is exactly that. It's open source software that is 100% free to download......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site