My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Worm.Zotob.A

LOW
LOW
22528
(Zotob)

Symptoms

- Presence of the files "haha.exe" and/or "botzor.exe" in the Windows System directory
- Entries to be run at startup in the registry ({HKLM|HKCU}SoftwareMicrosoftWindowsCurrentVersion{Run|Runservices}) with the target "botzor.exe".
- Windows XP SP2 firewall disabled.

Removal instructions:

Please let BitDefender disinfect your files.

Analyzed By

Daniel Ionita, virus researcher

Technical Description:

The virus comes packed with UPack and it is about 22KB in size. The virus uses a PNP exploit on port 445 to spread.

At startup, the virus disables (if present) the Windows XP SP2 firewall, registers itself with Windows to be run at every system startup and copies itself in the %SYSDIR% directory. Also, the virus will overwrite the DRIVERSETCHOSTS file, disabling the update of most antiviruses.

The virus has two major components: a FTP server and the "search and exploit" thread. First the virus starts the FTP server. It gets the IP of the current computer and masks out the first two components (for example: 192.168.0.1 is splitted in 192.168 and 0.1: the first two groups will remain constant, but the last two will be generated randomly to search for computers in the local area network). The virus will then "ping" the generated IP to see if indeed there is a computer there, and then it will try to exploit it. If the exploit is succesful, a Microsoft Batch File (.bat) will be dropped that will download via FTP the virus from the exploiting's computer IP and start it on the victim computer.

The virus will send it's current operational status via IRC to his creator's channel (for example after a succesful exploit and infection) and also the virus will accept commands from it's creator via IRC. It can also be updated via IRC/HTTP to a newer version.