high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Included in our products from | October 2005 (3.98) |
| Protection available since | 15 August 2005 07:30:37 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing W32/Zotob-B.
More Information
W32/Zotob-B is a worm and backdoor Trojan for the Windows platform.
W32/Zotob-B spreads to other network computers by exploiting the common buffer overflow vulnerability for PnP (MS05-039).
W32/Zotob-B runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
A patch for the operating system vulnerability exploited by W32/Zotob-B can be obtained from Microsoft at:
MS05-039 W32/Zotob-B is a worm and backdoor Trojan for the Windows platform.
W32/Zotob-B spreads to other network computers by exploiting the common buffer overflow vulnerability for PnP (MS05-039).
W32/Zotob-B runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
When first run W32/Zotob-B copies itself to <System>\csm.exe and creates the following registry entries so as to auto-start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
csm Win Updates
csm.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
csm Win Updates
csm.exe
W32/Zotob-B sets the following registry entries, disabling the automatic startup of other software:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
The worm may drop a file 2pac.txt. This is a text file that may be safely deleted.
W32/Zotob-B also appends the following to the system HOSTS file in order to prevent access to certain websites:
Botzor2005 Made By .... Greetz to good friend Coder. Based On HellBot3
MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!
n127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
A patch for the operating system vulnerability exploited by W32/Zotob-B can be obtained from Microsoft at:
|
