high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 14 August 2005 15:53:19 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/Zotob-A.
More Information
W32/Zotob-A is a worm and backdoor Trojan for the Windows platform.
W32/Zotob-A spreads to other network computers by exploiting the buffer overflow vulnerability for PnP (MS05-039).
W32/Zotob-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer. W32/Zotob-A is a worm and backdoor Trojan for the Windows platform.
W32/Zotob-A spreads to other network computers by exploiting the buffer overflow vulnerability for PnP (MS05-039).
W32/Zotob-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
When first run W32/Zotob-A copies itself to <System>\botzor.exe.
The following registry entries are created to run botzor.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
botzor.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
botzor.exe
W32/Zotob-A also sets the following registry entry
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
The worm may drop a file 2pac.txt. This is a text file that may be safely deleted.
W32/Zotob-A also appends the following to the system HOSTS file in order to prevent access to certain websites:
Botzor2005 Made By .... Greetz to good friend Coder. Based On HellBot3
MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!
n127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
A patch for the operating system vulnerabilitiy exploited by W32/Zotob-A can be obtained from Microsoft at:
|
