Esbot and Zotob updates….



Wednesday afternoon and Esbot is up to revision .B, Zotob is up to G according to Sarc (Symantec antivirus research). They have appropriate removal tools and details on affected systems there. Meanwhile the Sans institute (incidents.org) has a rundown of the latest in todays handlers diary.



They also explain why they’re still at infocon Green (as opposed to yellow over the weekend.)

Among the details they’ve gleaned from the zotob advisories….

Zotob.A

Executable size: 22,528 bytes
Executable Name: botzor.exe
Ports: TCP – 445,8080,33333

Aliases: Zotob.A [F-Secure], W32/Zotob.worm [McAfee], W32/Zotob-A [Sophos], WORM_ZOTOB.A [Trend]

Other details – Opens FTP server on port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.B
Executable size: 27,648 bytes
Executable Name: csm.exe
Ports: TCP – 445,8080,33333

Aliases: Zotob.B [F-Secure] W32/Zotob.worm.b [McAfee] W32/Zotob-B [Sophos]
WORM_ZOTOB.B [Trend Micro]

Other details – Opens FTP server on port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.C

Executable size: 41,984 bytes
Executable Name: per.exe
Ports: TCP – 445,8080,33333

Other details – Mass-mailing worm uses a predefined list of recipient names appending the domain names that it gathers from an infected computer. Contains its own SMTP engine to email to the addresses that it finds. Opens FTP server on port 33333, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.D

Executable size: 51,326 bytes
Executable name: windrg32.exe
Ports: TCP – 6667,1117,445

Other details – Opens FTP server on port 11173, attempts to end a variety of processes , Modifies the registry and deletes a variety of registry entries, and deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.E

Executable size: 10,366 bytes
Executable Name: wintbp.exe
Ports: TCP – 8594,8080,445, UDP – 69
Aliases: WORM_RBOT.CBQ [Trend Micro]

Other details – Opens TFTP server on port UDP 69, Connects to IRC server at 72.20.27.115 on TCP port 8080 to listen for update instructions, adds itself to the run in the registry.

Zotob.F

Executable size: 10,878 bytes
Executable name: wintbpx.exe Portls: TCP –445

Other details – Opens multiple TCP ports. Connects to IRC server at 72.20.41.139 to listen for update instructions, adds itself to the run in the registry, creates a file named %Temp%[NUMBER] which if successful contains TFTP scripts to download additional files.

Zotob.G

Executable size: 73,728 bytes
Executable name: windrg32.exe
Ports: TCP –445,6667,1171
Aliases: W32.Drudebot.A

Other details – Attempts to connect IRC servers on port 6667, Opens a TFTP server on port 1171, attempts to end a variety of processes , Modifies the registry and deletes a variety of registry entries, and deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry, creates a file named %Temp%[NUMBER] which if successful contains TFTP scripts to download additional files. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Related Posts

Blog Traffic Exchange Related Posts
  • How to Remove Windows Smart Security (Removal Guide) Windows Smart Security is a rogue spyware application that may fool people into installing and purchasing due to the use of the words Windows and Security in the title. It may fool people into thinking that it is related to Microsoft Windows and perhaps even a part of the operating......
  • How to Remove ProtectDefender | ProtectDefender Removal Guide ProtectDefender is yet another recent rogue antivirus application from the wini family. As with many of the other entrants from this family, it is installed through the use of bogus flash updates and purported video codec downloads. Typically a computer user will run across a site that claims to host......
  • Exporting an active linux desktop with vnc, or vnc remote desktop under linux There are lots of ways to get a remote desktop under linux, remote X, nxserver, vnc. One of the problems though is the most common configuration doesn't let you connect to a running desktop session. There is a vnc component that let's you do this and I'm using it right......
Blog Traffic Exchange Related Websites
  • Duxbury Salmon 8/14/2010 I went salmon fishing off the Duxbury reef with Captain Perry Kerson and deckhand Mikey of Sea Turtle Sport Fishing. Had an awesome time. You cannot find a better 6 pack fishing boat in the bay area. Perry grew up on the bay water so he is extremely knowledgeable......
  • Triathlon Terms Here is a brief glossary of terms used in triathlon training and triathlon racing. 70.3 - This term is used to describe a Half Ironman race distance, which is a 1.2 mile swim, a 56 mile bike an 13.1 mile run. 140.6 - This term is used to describe an......
  • Open Office Would you like to have an office suite of software, similar to Microsoft Office and compatible with it's file formats, but without the price tag? OK, so that's a no-brainer; of course you would. Well, Open Office is exactly that. It's open source software that is 100% free to download......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site