W32/Zotob-C is an email and network worm and backdoor for the Windows platform.
W32/Zotob-C spreads by email and to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP (MS05-039).
W32/Zotob-C runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
Email sent by W32/Zotob-C has the following characteristics:
Subject line:
Warning!!
**Warning**
Hello
Confirmed...
Important!
Message text:
looooool
We found a photo of you in ...
That's your photo!!?
hey!!
0K here is it!
The attached file may have a randomly generated name or one of the following :
photo
your_photo
image
picture
sample
loool
webcam_photo
with an extension of BAT, CMD, EXE, PIF or SCR.
The from address of the email will be spoofed.
W32/Zotob-C is an email and network worm and backdoor for the Windows platform.
W32/Zotob-C spreads by email and to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP (MS05-039).
W32/Zotob-C runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
Email sent by W32/Zotob-C has the following characteristics:
Subject line:
Warning!!
**Warning**
Hello
Confirmed...
Important!
Message text:
looooool
We found a photo of you in ...
That's your photo!!?
hey!!
0K here is it!
The attached file may have a randomly generated name or one of the following :
photo
your_photo
image
picture
sample
loool
webcam_photo
with an extension of BAT, CMD, EXE, PIF or SCR.
The from address of the email will be spoofed.
W32/Zotob-C searches for email addresses in the Windows address book and in files with the following extensions:
ADB, ASP, CGI, DBX, HTM, HTML, JSP, PHP, PL, SHT, TBB, TXT, WAB, XML
The worm avoids sending email to addresses that contain any of the following strings:
.gov
.mil
acketst
arin.
avp
berkeley
borlan
bsd
example
fido
foo.
fsf.
gnu
google
gov.
hotmail
iana
ibm.com
icrosof
ietf
inpris
isc.o
isi.e
kernel
linux
math
mit.e
mozilla
msn.
mydomai
nodomai
panda
pgp
rfc-ed
ripe.
ruslis
secur
sendmail
sopho
syma
tanford.e
unix
usenet
utgers.ed
When first run W32/Zotob-C copies itself to the Windows system folder as per.exe and lol.exe and creates the following registry entries so as to auto-start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
per.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
per.exe
W32/Zotob-C sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
W32/Zotob-C also overwrites the HOSTS file to block access to certain websites (including anti-virus websites).
Patches for the operating system vulnerabilities exploited by W32/Zotob-C can be obtained from Microsoft at:
MS04-011
MS05-039