| |
|
|
| |
| Virus Information |
| |
| Profile | Prevalence:  Medium |
| |
| Name | W32/Zotob-F |
| Type | Worm |
| How it spreads | Network Shares |
| Affected operating systems | Windows |
| Aliases | Net-Worm.Win32.Bozori.b |
| Date of surface | 17 August 2005 |
Description |
This is a worm and IRC backdoor Trojan for the Windows platform.
W32/Zotob-F spreads to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP (MS05-039).
W32/Zotob-F runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
Patches for the operating system vulnerabilities exploited by W32/Zotob-F can be obtained from Microsoft at:
MS04-011
MS05-039
|
Recovery |
You have to remove the virus. You need to do one of the following things:
1) The latest virus vaccine update of eScan removes the worm from your system. Ensure that Internet access for your system is running. Right click on  and click Download eScan update. The latest updates are downloaded,your system is scanned and the worm is removed.
OR
2) Download the free MicroWorld Anti Virus Toolkit (MWAV Tool Kit). The tool checks your machine for viruses. If any illegal dialers or sniffer tools have been installed they are detected.
MWAV Tool Kit
(Download the free MicroWorld Anti Virus Toolkit that detects viruses in system registry and running processes)
Link 1
Link 2
Link 3
eScan Internet Security Suite (ISS)
(Download MicroWorld`s eScan that detects viruses in system registry,running processes and has a real time monitor)
Link 1
Link 2
Link 3
Link 4
Link 5
Link 6
|
Advanced |
This is a worm and IRC backdoor Trojan for the Windows platform.
W32/Zotob-F spreads to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP (MS05-039).
W32/Zotob-F runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
Patches for the operating system vulnerabilities exploited by W32/Zotob-F can be obtained from Microsoft at:
MS04-011
MS05-039
When first run W32/Zotob-F copies itself to "System"\wintbpx.exe and creates the following files:
"Temp"\387.bat
"Temp"\821.bat
These are batch files which attempt to remove the worm`s file from the current folder.
The following registry entry is created to run wintbpx.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wintbpx.exe
wintbpx.exe
W32/Zotob-F attempts to terminate the following processes and delete the corresponding files:
wintbp.exe
svnlitup32.exe
service32.exe
mousebm.exe
llsrv.exe
pnpsrv.exe
winpnp.exe
csm.exe
system32.exe
botzor.exe
upnp.exe
|
|
|
|
|
| |
|
|
|