AlphaOne Technology Support Forums
Welcome, Guest. Please login or register.
January 08, 2009, 08:33:58 PM

Login with username, password and session length
Search:     Advanced search
1733 Posts in 827 Topics by 5356 Members
Latest Member: Gagabaksik
* Home Help Search Login Register
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: W32.Zotob.G 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: W32.Zotob.G  (Read 423 times)
TJ
Tech Team
Hero Member
********
Offline Offline

Posts: 136



View Profile
W32.Zotob.G
« on: August 17, 2005, 04:35:00 PM »
W32.Zotob.G is a worm that opens a back door and exploits the Microsoft Windows Plug and Play Buffer Overflow Vulnerability

When executed, W32.Zotob.G performs the following actions:

   1. Creates the mutex "windrg32", so that only one copy of the worm runs on the compromised computer at one time.

   2. Copies itself as the following file:

      %System%\usrnt\windrg32.exe

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   3. Deletes the original worm file.

   4. Adds the value:

      "WinDrg32" = "%System%\usernt\windrg32.exe"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that it runs every time Windows starts.

   5. Fails to operate correctly if it detects it is not connected to a network, if the computer's IP address is non-routable, or if it is unable to lookup www.google.com, www.ebay.com, or www.yahoo.com.

   6. Attempts to open a back door by connecting to one of the following IRC servers on TCP port 6667 and joining the channel #xaeti:

          * spookestreet.afraid.org
          * spookystreet.udp-flood.com
          * sppokystreet.m00p.org
          * spookystreet.afraid.org

            Note: At the time of writing these servers were unavailable.

   7. Allows the remote attacker to perform the following commands on the compromised computer:

          * Download and execute files
          * Send queries to www.google.com
          * End processes
          * Send random IRC messages
          * Check for email on [http://]www.mailinator.com/[REMOVED]
          * Submit URLs to [http://]tinyurl.com/[REMOVED]

   8. Opens a TFTP server on TCP port 1171.

   9. Attempts to end the following processes:

          * CxtPls.exe
          * EbatesMoeMoneyMaker*.exe
          * CMESys.exe
          * qttask.exe
          * realsched.exe
          * ViewMgr.exe
          * NHUpdater.exe

  10. Deletes the following registry values:

      "FunWebProducts"
      "MyWebSearch"
      "MyWay"
      "WeatherOnTray"
      "Hotbar"
      "sais"
      "msbb"
      "saie"
      "180ax"
      "lgbibsn"
      "tov"
      "180"
      "WinTools"
      "IBIS TB"
      "TBPS"
      "Toolbar"
      "Apropos"
      "NavExcel"
      "ViewMgr"
      "Viewpoint"
      "TkBellExe"
      "Real"
      "QuickTime Task"
      "QuickTime"
      "CMESys"
      "Gator"
      "Trickler"
      "GatorDownloader"
      "eZmmod"
      "eZula"
      "EbatesMoeMoneyMaker"
      "Ebates"
      "AutoUpdater"

      from the following subkeys:

      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Run
      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\RunOnce

  11. Deletes the following files and deletes the contents of the following folders:

          * %ProgramFiles%\FunWebProducts
          * %ProgramFiles%\FunWebProducts\*.exe
          * %ProgramFiles%\MyWebSearch
          * %ProgramFiles%\MyWebSearch\*.exe
          * %ProgramFiles%\MyWay
          * %ProgramFiles%\MyWay\*.exe
          * %ProgramFiles%\Hotbar
          * %ProgramFiles%\Hotbar\*.exe
          * %ProgramFiles%\180Solutions
          * %ProgramFiles%\180Solutions\*.exe
          * %ProgramFiles%\Common Files\WinTools
          * %ProgramFiles%\Common Files\WinTools\*.exe
          * %ProgramFiles%\Toolbar
          * %ProgramFiles%\Toolbar\*.exe
          * %ProgramFiles%\CxtPls
          * %ProgramFiles%\NavExcel
          * %ProgramFiles%\Common Files\GMT
          * %ProgramFiles%\Common Files\GMT\GMT.exe
          * %ProgramFiles%\Common Files\CMEII
          * %ProgramFiles%\eZula
          * %ProgramFiles%\eZula\mmod.exe
          * %ProgramFiles%\EbatesMoeMoneyMaker
          * %ProgramFiles%\AutoUpdate
          * %ProgramFiles%\AutoUpdate\AutoUpdate.exe

  12. Generates random IP addresses, and attempts to exploit the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039), using TCP port 445.

  13. Sends a file to the target computer. This file contains a TFTP script that will download a copy of the worm from the compromised computer.

  14. Saves this file as run[NUMBER].exe on the remote computer and executes it.

      Note: [NUMBER] represents several random numbers from 0 - 9.

  15. Logs the successfully exploited IP addresses to the IRC server it joined.

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.g.html

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   5. In the right pane, delete the value:

      "WinDrg32" = "%System%\usernt\windrg32.exe"

   6. Exit the Registry Editor.
Logged
Pages: [1] Go Up Print 
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: W32.Zotob.G « previous next »
Jump to:  

Powered by MySQL Powered by PHP AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!