high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 15 August 2005 07:30:37 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/Zotob-B.
More Information
W32/Zotob-B is a worm and backdoor Trojan for the Windows platform.
W32/Zotob-B spreads to other network computers by exploiting the common buffer overflow vulnerability for PnP (MS05-039).
W32/Zotob-B runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
A patch for the operating system vulnerability exploited by W32/Zotob-B can be obtained from Microsoft at:
MS05-039 W32/Zotob-B is a worm and backdoor Trojan for the Windows platform.
W32/Zotob-B spreads to other network computers by exploiting the common buffer overflow vulnerability for PnP (MS05-039).
W32/Zotob-B runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
When first run W32/Zotob-B copies itself to <System>\csm.exe and creates the following registry entries so as to auto-start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
csm Win Updates
csm.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
csm Win Updates
csm.exe
W32/Zotob-B sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
The worm may drop a file 2pac.txt. This is a text file that may be safely deleted.
W32/Zotob-B also appends the following to the system HOSTS file in order to prevent access to certain websites:
Botzor2005 Made By .... Greetz to good friend Coder. Based On HellBot3
MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!
n127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
A patch for the operating system vulnerability exploited by W32/Zotob-B can be obtained from Microsoft at:
|
