W32.Zotob.I is a worm that opens a back door and exploits the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS05-039) on TCP port 445.
Note: While computers running Windows 95/98/Me/NT4/XP operating systems cannot be infected remotely, it is possible they could be infected if W32.Zotob.I is executed locally (although this is an unlikely occurrence). Vulnerable Windows 2000 computers could then be infected by the compromised computer.
When W32.Zotob.I is executed, it performs the following actions:
1. Creates the mutex "S-Y-B-O-T-By-Sky-Dancer" so that only one copy of the worm runs on the compromised computer at one time.
2. Copies itself as the following file:
%Windir%\HPSV.exe
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
3. Adds the value:
"SyBot v2.1 By Sky-Dancer" = "HPSV.exe"
to the registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\OLE
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
so that it runs every time Windows starts.
4. Opens a back door by connecting to the following IRC server on TCP port 5544 to listen for IRC commands:
sezen.aydankaya.org
5. Allows the attacker to use IRC commands to download and execute files from the IRC server.
6. Opens a FTP server on TCP port 19907.
7. Sends packets to randomly generated IP addresses, based on the IP address of the compromised computer.
8. Attempts to exploit the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS05-039) on TCP port 445.
9. If successful, the exploit code will open a back door on the remote computer.
10. Sends the file 2pac.txt to the target computer via the back door. This file contains a FTP script that will download a copy of the worm from the compromised computer.
11. Saves the file as haha.exe on the target computer and executes it.
12. Logs the successfully exploited IP addresses to the IRC server it joined.
REMOVAL INSTRUCTIONSSee:
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.i.htmlTo delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.
1. Click Start > Run.
2. Type regedit
3. Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
4. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\OLE
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
5. In the right pane, delete the value:
"SyBot v2.1 By Sky-Dancer" = "HPSV.exe"
6. Exit the Registry Editor.
AlphaOne Technology Support Forums
Author
Logged
