Esbot and Zotob updates….



Wednesday afternoon and Esbot is up to revision .B, Zotob is up to G according to Sarc (Symantec antivirus research). They have appropriate removal tools and details on affected systems there. Meanwhile the Sans institute (incidents.org) has a rundown of the latest in todays handlers diary.



They also explain why they’re still at infocon Green (as opposed to yellow over the weekend.)

Among the details they’ve gleaned from the zotob advisories….

Zotob.A

Executable size: 22,528 bytes
Executable Name: botzor.exe
Ports: TCP – 445,8080,33333

Aliases: Zotob.A [F-Secure], W32/Zotob.worm [McAfee], W32/Zotob-A [Sophos], WORM_ZOTOB.A [Trend]

Other details – Opens FTP server on port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.B
Executable size: 27,648 bytes
Executable Name: csm.exe
Ports: TCP – 445,8080,33333

Aliases: Zotob.B [F-Secure] W32/Zotob.worm.b [McAfee] W32/Zotob-B [Sophos]
WORM_ZOTOB.B [Trend Micro]

Other details – Opens FTP server on port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.C

Executable size: 41,984 bytes
Executable Name: per.exe
Ports: TCP – 445,8080,33333

Other details – Mass-mailing worm uses a predefined list of recipient names appending the domain names that it gathers from an infected computer. Contains its own SMTP engine to email to the addresses that it finds. Opens FTP server on port 33333, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.D

Executable size: 51,326 bytes
Executable name: windrg32.exe
Ports: TCP – 6667,1117,445

Other details – Opens FTP server on port 11173, attempts to end a variety of processes , Modifies the registry and deletes a variety of registry entries, and deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Zotob.E

Executable size: 10,366 bytes
Executable Name: wintbp.exe
Ports: TCP – 8594,8080,445, UDP – 69
Aliases: WORM_RBOT.CBQ [Trend Micro]

Other details – Opens TFTP server on port UDP 69, Connects to IRC server at 72.20.27.115 on TCP port 8080 to listen for update instructions, adds itself to the run in the registry.

Zotob.F

Executable size: 10,878 bytes
Executable name: wintbpx.exe Portls: TCP –445

Other details – Opens multiple TCP ports. Connects to IRC server at 72.20.41.139 to listen for update instructions, adds itself to the run in the registry, creates a file named %Temp%[NUMBER] which if successful contains TFTP scripts to download additional files.

Zotob.G

Executable size: 73,728 bytes
Executable name: windrg32.exe
Ports: TCP –445,6667,1171
Aliases: W32.Drudebot.A

Other details – Attempts to connect IRC servers on port 6667, Opens a TFTP server on port 1171, attempts to end a variety of processes , Modifies the registry and deletes a variety of registry entries, and deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry, creates a file named %Temp%[NUMBER] which if successful contains TFTP scripts to download additional files. Modifies the hosts file to prevent updating of antivirus and security programs from updating.

Related Posts

Blog Traffic Exchange Related Posts
  • Exporting an active linux desktop with vnc, or vnc remote desktop under linux There are lots of ways to get a remote desktop under linux, remote X, nxserver, vnc. One of the problems though is the most common configuration doesn't let you connect to a running desktop session. There is a vnc component that let's you do this and I'm using it right......
  • How to Remove ProtectDefender | ProtectDefender Removal Guide ProtectDefender is yet another recent rogue antivirus application from the wini family. As with many of the other entrants from this family, it is installed through the use of bogus flash updates and purported video codec downloads. Typically a computer user will run across a site that claims to host......
  • Common Networking Ports Along the lines of "knowing your network" with the network security guide. Here are some of the most commonly used network ports. There are 65535 ports that can listen for a connection, so this is not a thorough listing. (These are tcp unless noted otherwise.) FTP 21 (file transfer protocol,......
Blog Traffic Exchange Related Websites
  • Triathlon Terms Here is a brief glossary of terms used in triathlon training and triathlon racing. 70.3 - This term is used to describe a Half Ironman race distance, which is a 1.2 mile swim, a 56 mile bike an 13.1 mile run. 140.6 - This term is used to describe an......
  • Application Virtualization with ThinApp (formerly Thinstall) I don't know why this is not getting more attention.  VMware and Landesk's Thinstall (now called ThinApp) has been out for close to two years now and I continue to be surprised that it is not more widely adopted. It is a great product that really lives up to the......
  • Create Autorun for your CD's and DVD's The compact disk drive auto play feature, common to most operating systems, is a good way to simplify user experience. Auto play is controlled by a simple text-only file called autorun.inf. While there are dozens of software utilities available that will help you create the file, all you really need......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site