Esbot and Zotob updates….



Wednesday afternoon and Esbot is up to revision .B, Zotob is up to G according to Sarc (Symantec antivirus research). They have appropriate removal tools and details on affected systems there. Meanwhile the Sans institute (incidents.org) has a rundown of the latest in todays handlers diary.



They also explain why they’re still at infocon Green (as opposed to yellow over the weekend.)

Among the details they’ve gleaned from the zotob advisories….

Zotob.A

Executable size: 22,528 bytes
Executable Name: botzor.exe
Ports: TCP – 445,8080,33333

Aliases: Zotob.A [F-Secure], W32/Zotob.worm [McAfee], W32/Zotob-A [Sophos], WORM_ZOTOB.A [Trend]

Other details – Opens FTP server on port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.B
Executable size: 27,648 bytes
Executable Name: csm.exe
Ports: TCP – 445,8080,33333

Aliases: Zotob.B [F-Secure] W32/Zotob.worm.b [McAfee] W32/Zotob-B [Sophos]
WORM_ZOTOB.B [Trend Micro]

Other details – Opens FTP server on port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.C

Executable size: 41,984 bytes
Executable Name: per.exe
Ports: TCP – 445,8080,33333

Other details – Mass-mailing worm uses a predefined list of recipient names appending the domain names that it gathers from an infected computer. Contains its own SMTP engine to email to the addresses that it finds. Opens FTP server on port 33333, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.D

Executable size: 51,326 bytes
Executable name: windrg32.exe
Ports: TCP – 6667,1117,445

Other details – Opens FTP server on port 11173, attempts to end a variety of processes , Modifies the registry and deletes a variety of registry entries, and deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.E

Executable size: 10,366 bytes
Executable Name: wintbp.exe
Ports: TCP – 8594,8080,445, UDP – 69
Aliases: WORM_RBOT.CBQ [Trend Micro]

Other details – Opens TFTP server on port UDP 69, Connects to IRC server at 72.20.27.115 on TCP port 8080 to listen for update instructions, adds itself to the run in the registry.

Zotob.F

Executable size: 10,878 bytes
Executable name: wintbpx.exe Portls: TCP –445

Other details – Opens multiple TCP ports. Connects to IRC server at 72.20.41.139 to listen for update instructions, adds itself to the run in the registry, creates a file named %Temp%[NUMBER] which if successful contains TFTP scripts to download additional files.

Zotob.G

Executable size: 73,728 bytes
Executable name: windrg32.exe
Ports: TCP –445,6667,1171
Aliases: W32.Drudebot.A

Other details – Attempts to connect IRC servers on port 6667, Opens a TFTP server on port 1171, attempts to end a variety of processes , Modifies the registry and deletes a variety of registry entries, and deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry, creates a file named %Temp%[NUMBER] which if successful contains TFTP scripts to download additional files. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Related Posts

Blog Traffic Exchange Related Posts
  • How to Remove Antivirus System Pro | Antivirus System Pro Removal Guide Last week I had the opportunity to remove Antivirus System Pro from not one, but two machines. Given that I was seeing it a bit more frequently I thought it might be a new rogue antivirus application, but I quickly found out that it's been out at least since June......
  • How to Remove Windows Smart Security (Removal Guide) Windows Smart Security is a rogue spyware application that may fool people into installing and purchasing due to the use of the words Windows and Security in the title. It may fool people into thinking that it is related to Microsoft Windows and perhaps even a part of the operating......
  • How to Remove ProtectDefender | ProtectDefender Removal Guide ProtectDefender is yet another recent rogue antivirus application from the wini family. As with many of the other entrants from this family, it is installed through the use of bogus flash updates and purported video codec downloads. Typically a computer user will run across a site that claims to host......
Blog Traffic Exchange Related Websites
  • Open Office Would you like to have an office suite of software, similar to Microsoft Office and compatible with it's file formats, but without the price tag? OK, so that's a no-brainer; of course you would. Well, Open Office is exactly that. It's open source software that is 100% free to download......
  • Triathlon Terms Here is a brief glossary of terms used in triathlon training and triathlon racing. 70.3 - This term is used to describe a Half Ironman race distance, which is a 1.2 mile swim, a 56 mile bike an 13.1 mile run. 140.6 - This term is used to describe an......
  • Create Autorun for your CD's and DVD's The compact disk drive auto play feature, common to most operating systems, is a good way to simplify user experience. Auto play is controlled by a simple text-only file called autorun.inf. While there are dozens of software utilities available that will help you create the file, all you really need......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site