W32/Zotob-D is a worm and backdoor Trojan for the Windows platform.
W32/Zotob-D spreads to other network computers by exploiting common buffer overflow vulnerabilities, including PnP (MS05-039).
W32/Zotob-D runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
The following patch for the operating system vulnerability exploited by W32/Zotob-D can be obtained from the Microsoft website:
MS05-039
W32/Zotob-D is a worm and backdoor Trojan for the Windows platform.
W32/Zotob-D spreads to other network computers by exploiting common buffer overflow vulnerabilities, including PnP (MS05-039).
W32/Zotob-D runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
When first run W32/Zotob-D copies itself to <System>\botzor.exe and creates the following registry entries so as to auto-start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
botzor.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
botzor.exe
W32/Zotob-D sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
W32/Zotob-D modifies an infected computer's HOSTS file as follows, denying access to those websites specified:
127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
The following patch for the operating system vulnerability exploited by W32/Zotob-D can be obtained from the Microsoft website:
MS05-039