Esbot and Zotob updates….



Wednesday afternoon and Esbot is up to revision .B, Zotob is up to G according to Sarc (Symantec antivirus research). They have appropriate removal tools and details on affected systems there. Meanwhile the Sans institute (incidents.org) has a rundown of the latest in todays handlers diary.



They also explain why they’re still at infocon Green (as opposed to yellow over the weekend.)

Among the details they’ve gleaned from the zotob advisories….

Zotob.A

Executable size: 22,528 bytes
Executable Name: botzor.exe
Ports: TCP – 445,8080,33333

Aliases: Zotob.A [F-Secure], W32/Zotob.worm [McAfee], W32/Zotob-A [Sophos], WORM_ZOTOB.A [Trend]

Other details – Opens FTP server on port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.B
Executable size: 27,648 bytes
Executable Name: csm.exe
Ports: TCP – 445,8080,33333

Aliases: Zotob.B [F-Secure] W32/Zotob.worm.b [McAfee] W32/Zotob-B [Sophos]
WORM_ZOTOB.B [Trend Micro]

Other details – Opens FTP server on port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.C

Executable size: 41,984 bytes
Executable Name: per.exe
Ports: TCP – 445,8080,33333

Other details – Mass-mailing worm uses a predefined list of recipient names appending the domain names that it gathers from an infected computer. Contains its own SMTP engine to email to the addresses that it finds. Opens FTP server on port 33333, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.D

Executable size: 51,326 bytes
Executable name: windrg32.exe
Ports: TCP – 6667,1117,445

Other details – Opens FTP server on port 11173, attempts to end a variety of processes , Modifies the registry and deletes a variety of registry entries, and deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.E

Executable size: 10,366 bytes
Executable Name: wintbp.exe
Ports: TCP – 8594,8080,445, UDP – 69
Aliases: WORM_RBOT.CBQ [Trend Micro]

Other details – Opens TFTP server on port UDP 69, Connects to IRC server at 72.20.27.115 on TCP port 8080 to listen for update instructions, adds itself to the run in the registry.

Zotob.F

Executable size: 10,878 bytes
Executable name: wintbpx.exe Portls: TCP –445

Other details – Opens multiple TCP ports. Connects to IRC server at 72.20.41.139 to listen for update instructions, adds itself to the run in the registry, creates a file named %Temp%[NUMBER] which if successful contains TFTP scripts to download additional files.

Zotob.G

Executable size: 73,728 bytes
Executable name: windrg32.exe
Ports: TCP –445,6667,1171
Aliases: W32.Drudebot.A

Other details – Attempts to connect IRC servers on port 6667, Opens a TFTP server on port 1171, attempts to end a variety of processes , Modifies the registry and deletes a variety of registry entries, and deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry, creates a file named %Temp%[NUMBER] which if successful contains TFTP scripts to download additional files. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Related Posts

Blog Traffic Exchange Related Posts
  • How to Remove ProtectDefender | ProtectDefender Removal Guide ProtectDefender is yet another recent rogue antivirus application from the wini family. As with many of the other entrants from this family, it is installed through the use of bogus flash updates and purported video codec downloads. Typically a computer user will run across a site that claims to host......
  • Network Security guide for the home or small business network - Part 2 - A Software Firewall Do I really need a hardware firewall? I'm running XP Service Pack 2 with the built in firewall? (or norton, or zonealarm?) Well, personal firewalls (the name that software firewalls go by) are good for a great many things that hardware firewalls AREN'T. They do have their limitations though and......
  • How to Remove Desktop Security 2010 | Desktop Security 2010 Removal Guide Desktop Security 2010 is a rogue antivirus application. It is a successor to Total PC Defender and installs on your pc without permission through the use of malware. Once on your system it will create numerous files that it then finds during scheduled scans and it claims these files are......
Blog Traffic Exchange Related Websites
  • Application Virtualization with ThinApp (formerly Thinstall) I don't know why this is not getting more attention.  VMware and Landesk's Thinstall (now called ThinApp) has been out for close to two years now and I continue to be surprised that it is not more widely adopted. It is a great product that really lives up to the......
  • Turn Any File into an EXE with Convert to EXE If you're a geek like me, you may on occasion have run into a situation where you had a file that you needed to convert to exe. I had read a few forum posts and tutorials on how to do this with self-extracting installers, and I even managed to do......
  • Duxbury Salmon 8/14/2010 I went salmon fishing off the Duxbury reef with Captain Perry Kerson and deckhand Mikey of Sea Turtle Sport Fishing. Had an awesome time. You cannot find a better 6 pack fishing boat in the bay area. Perry grew up on the bay water so he is extremely knowledgeable......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site