AlphaOne Technology Support Forums
Welcome, Guest. Please login or register.
January 09, 2009, 06:57:34 AM

Login with username, password and session length
Search:     Advanced search
1733 Posts in 827 Topics by 5358 Members
Latest Member: superprotgame
* Home Help Search Login Register
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: W32.Zotob.B 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: W32.Zotob.B  (Read 422 times)
TJ
Tech Team
Hero Member
********
Offline Offline

Posts: 136



View Profile
W32.Zotob.B
« on: August 16, 2005, 08:52:21 AM »
W32.Zotob.B is a worm that spreads by exploiting the Microsoft Windows Plug and Play Service Vulnerability, as described in Microsoft Security Bulletin MS05-039.

W32.Zotob.B can run on, but not infect, computers running Windows 95/98/Me/NT4. Although computers running these operating systems cannot be infected, they can still be used to infect vulnerable computers that they can connect to.

When W32.Zotob.B is executed, it performs the following actions:

   1. Creates the following mutex so that only one copy of the worm runs on the compromised computer:

      B-O-T-Z-O-R

   2. Copies itself as %System%\csm.exe.

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   3. Adds the value:

      "csm Win Updates" = "csm.exe"

      to the registry subkeys:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
      RunServices

      so that it runs every time Windows starts.

   4. Modifies the value:

      "Start" = "4"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess

      to disable the Shared Access service in Windows 2000/XP.

   5. Connects to an IRC server on the domain [http://]wait.atillaekici.net[REMOVED] on TCP port 8080. This allows unauthorized remote access to the compromised computer.

   6. Opens an FTP server on TCP port 33333.

   7. Generates random IP address from the current IP address. The worm does this by keeping the first two octets of the IP address on the system and randomize the last two octets. For example, if the IP address of the system is 192.168.0.1, the worm will attempt to infect IP addresses beginning with 192.168.x.x.

   8. Attempts to spread to computers with the above random IP address by opening a backdoor using TCP port 8888 on the remote computer. The worm does this by attempting to exploit the Microsoft Windows Plug and Play Service Vulnerability, as described in Microsoft Security Bulletin MS05-039.

   9. Copies the following file to the newly compromised computer and executes an FTP script contained within it:

      %System%\2pac.txt

  10. Downloads and executes the following copy of the worm from the previously created FTP server on the host computer:

      %System%\haha.exe

  11. Adds the following entries to the hosts file:

      .... Made By .... Greetz to good friend  [REMOVED]  in the next 24hours!!!

      127.0.0.1 www.symantec.com
      127.0.0.1 securityresponse.symantec.com
      127.0.0.1 symantec.com
      127.0.0.1 www.sophos.com
      127.0.0.1 sophos.com
      127.0.0.1 www.mcafee.com
      127.0.0.1 mcafee.com
      127.0.0.1 liveupdate.symantecliveupdate.com
      127.0.0.1 www.viruslist.com
      127.0.0.1 viruslist.com
      127.0.0.1 viruslist.com
      127.0.0.1 f-secure.com
      127.0.0.1 www.f-secure.com
      127.0.0.1 kaspersky.com
      127.0.0.1 kaspersky-labs.com
      127.0.0.1 www.avp.com
      127.0.0.1 www.kaspersky.com
      127.0.0.1 avp.com
      127.0.0.1 www.networkassociates.com
      127.0.0.1 networkassociates.com
      127.0.0.1 www.ca.com
      127.0.0.1 ca.com
      127.0.0.1 mast.mcafee.com
      127.0.0.1 my-etrust.com
      127.0.0.1 www.my-etrust.com
      127.0.0.1 download.mcafee.com
      127.0.0.1 dispatch.mcafee.com
      127.0.0.1 secure.nai.com
      127.0.0.1 nai.com
      127.0.0.1 www.nai.com
      127.0.0.1 update.symantec.com
      127.0.0.1 updates.symantec.com
      127.0.0.1 us.mcafee.com
      127.0.0.1 liveupdate.symantec.com
      127.0.0.1 customer.symantec.com
      127.0.0.1 rads.mcafee.com
      127.0.0.1 trendmicro.com
      127.0.0.1 pandasoftware.com
      127.0.0.1 www.pandasoftware.com
      127.0.0.1 www.trendmicro.com
      127.0.0.1 www.grisoft.com
      127.0.0.1 www.microsoft.com
      127.0.0.1 microsoft.com
      127.0.0.1 www.virustotal.com
      127.0.0.1 virustotal.com
      127.0.0.1 www.amazon.com
      127.0.0.1 www.amazon.co.uk
      127.0.0.1 www.amazon.ca
      127.0.0.1 www.amazon.fr
      127.0.0.1 www.paypal.com
      127.0.0.1 paypal.com
      127.0.0.1 moneybookers.com
      127.0.0.1 www.moneybookers.com
      127.0.0.1 www.ebay.com
      127.0.0.1 ebay.com

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.b.html

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      RunServices

   5. In the right pane, delete the value:

      "csm Win Updates" = "csm.exe"

   6. Exit the Registry Editor.



6. To reenable the SharedAccess service (Windows 2000/XP only)
The SharedAccess service is responsible for maintaining Internet Connection Sharing and the Windows Firewall/Internet Connection Firewall applications in Windows. (The presence and names of these applications vary depending on the operating system and service pack you are using.) To protect your computer and maintain network functionality, re-enable this service if you are using any of these programs.


Windows XP Service Pack 2
If you are running Windows XP with Service Pack 2 and are using the Windows Firewall, the operating system will alert you when the SharedAccess service is stopped, by displaying an alert balloon saying that your Firewall status is unknown. Perform the following steps to ensure that the Windows Firewall is re-enabled:

   1. Click Start > Control Panel.

   2. Double-click the Security Center.

   3. Ensure that the Firewall security essential is marked ON.

      Note: If the Firewall security essential is marked on, your Windows Firewall is on and you do not need to continue with these steps.

      If the Firewall security essential is not marked on, click the "Recommendations" button.

   4. Under "Recommendations," click Enable Now. A window appears telling you that the Windows Firewall was successfully turned on.

   5. Click Close, and then click OK.

   6. Close the Security Center.



Windows 2000 or Windows XP Service Pack 1 or earlier
Complete the following steps to re-enable the SharedAccess service:

   1. Click Start > Run.
   2. Type services.msc

      Then click OK.

   3. Do one of the following:
          * Windows 2000: Under the Name column, locate the "Internet Connection Sharing (ICS)" service and double-click it.
          * Windows XP: Under the Named column, locate the "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)" service and double-click it.

   4. Under "Startup Type:", select "Automatic" from the drop-down menu.

   5. Under "Service Status:", click the Start button.

   6. Once the service has completed starting, click OK.

   7. Close the Services window.
Logged
Pages: [1] Go Up Print 
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: W32.Zotob.B « previous next »
Jump to:  

Powered by MySQL Powered by PHP AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!