W32/Zotob-F is a worm and IRC backdoor Trojan for the Windows platform.
W32/Zotob-F spreads to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP (MS05-039).
W32/Zotob-F runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
Patches for the operating system vulnerabilities exploited by W32/Zotob-F can be obtained from Microsoft at:
MS04-011
MS05-039
W32/Zotob-F is a worm and IRC backdoor Trojan for the Windows platform.
W32/Zotob-F spreads to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP (MS05-039).
W32/Zotob-F runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
When first run W32/Zotob-F copies itself to <System>\wintbpx.exe and creates the following files:
<Temp>\387.bat
<Temp>\821.bat
These are batch files which attempt to remove the worm's file from the current folder.
The following registry entry is created to run wintbpx.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wintbpx.exe
wintbpx.exe
W32/Zotob-F attempts to terminate the following processes and delete the corresponding files:
wintbp.exe
svnlitup32.exe
service32.exe
mousebm.exe
llsrv.exe
pnpsrv.exe
winpnp.exe
csm.exe
system32.exe
botzor.exe
upnp.exe
Patches for the operating system vulnerabilities exploited by W32/Zotob-F can be obtained from Microsoft at:
MS04-011
MS05-039