W32/Zotob.worm

This page shows details and results of our analysis on the malware W32/Zotob.worm

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5600.1067

File Length

Varies

Description Added

2005-08-14

Description Modified

2005-08-15

Malware Proliferation

Characteristics

This worm exploits the MS05-039 vulnerability.  There are at least 2 other W32/Sdbot based worms know to exist that also exploit this vulnerability.  They may be seen with the filenames pnpsrv.exe or winpnp.exe. 
See http://vil.nai.com/vil/content/v_135434.htm

This self-executing worm spreads by exploiting Windows2000 MS05-039 vulnerable systems in order to instruct those systems to download and execute the worm.

On Demand Scans may detect this threat as New Malware.n with the 4551 DAT files or newer.

VirusScan Enterprise 8.0i and Managed VirusScan's generic buffer overflow protection protects against code execution that may result from exploitation of MS05-039.

Symptoms

The worm creates the file botzor.exe in the WINDOWS SYSTEM directory and registry run keys are created to load the worm at startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run "WINDOWS SYSTEM" = botzor.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    RunServices "WINDOWS SYSTEM" = botzor.exe

An additional registry change is made:

  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess "Start"  = 4 (default is 3)

The HOSTS file is appended to block access to anti-virus websites.  Appended HOSTS files are proactively detected as QHosts-35.

The worm contains BOT functionality.  It attempts to connect to diabl0.turkcoders.net on TCP port 8080 and join a specified channel to wait for further instructions.  Commands include:

  • sysinfo (RAM, OS, uptime)
  • download (to download and run a file)
  • remove (to remove the worm)

Method of Infection

This worm creates 16 threads to scan for infectable systems.  The worm targets random class B IP addresses, sending SYN packets to TCP Port 445.  When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script (2pac.txt is the script file name) and launching FTP.EXE to download and execute the worm from the source system (via TCP port 33333, haha.exe is fetched).

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants