| |
|
|
| |
| Virus Information |
| |
| Profile | Prevalence:  Medium |
| |
| Name | W32/Zotob-E |
| Type | Worm |
| How it spreads | Plug and Play |
| Affected operating systems | Windows |
| Aliases | Win32.Tpbot.A, Net-Worm.Win32.Small.d |
| Date of surface | 18 August 2005 |
Description |
It is an IRC controlled backdoor (or "bot") that can be used to gain unauthorized access to a victim`s machine. It spreads by exploiting the Microsoft Windows Plug and Play service buffer overflow vulnerability. It has been distributed as a 10,366-byte Win32 executable, packed with UPX and Yoda`s Cryptor.
The worm searches random IP addresses for potential targets, checking for vulnerable systems via port 445.
If it successfully exploits this vulnerability, the worm instructs the target to connect back to the source system and download the worm using the Windows TFTP (Trivial File Transfer Protocol) utility. It downloads the worm using a file name in the form "a`number`.exe", where `number` is a random number from 1000 to 9999, eg. "a1000.exe". It then instructs the target to run this file, thus infecting it.
To enable the TFTP transfer, the worm acts as a very basic TFTP server on the originating system, listening on UDP port 69 (the standard TFTP port). |
Recovery |
You have to remove the virus. You need to do one of the following things:
1) The latest virus vaccine update of eScan removes the worm from your system. Ensure that Internet access for your system is running. Right click on  and click Download eScan update. The latest updates are downloaded,your system is scanned and the worm is removed.
OR
2) Download the free MicroWorld Anti Virus Toolkit (MWAV Tool Kit). The tool checks your machine for viruses. If any illegal dialers or sniffer tools have been installed they are detected.
MWAV Tool Kit
(Download the free MicroWorld Anti Virus Toolkit that detects viruses in system registry and running processes)
Link 1
Link 2
Link 3
eScan Internet Security Suite (ISS)
(Download MicroWorld`s eScan that detects viruses in system registry,running processes and has a real time monitor)
Link 1
Link 2
Link 3
Link 4
Link 5
Link 6
|
Advanced |
It is an IRC controlled backdoor (or "bot") that can be used to gain unauthorized access to a victim`s machine. It spreads by exploiting the Microsoft Windows Plug and Play service buffer overflow vulnerability. It has been distributed as a 10,366-byte Win32 executable, packed with UPX and Yoda`s Cryptor.
The worm searches random IP addresses for potential targets, checking for vulnerable systems via port 445.
If it successfully exploits this vulnerability, the worm instructs the target to connect back to the source system and download the worm using the Windows TFTP (Trivial File Transfer Protocol) utility. It downloads the worm using a file name in the form "a`number`.exe", where `number` is a random number from 1000 to 9999, eg. "a1000.exe". It then instructs the target to run this file, thus infecting it.
When executed, W32/Zotob-E creates a mutex called "wintbp.exe". If the mutex already exists, it quits.
W32/Zotob-E copies itself to the %System% directory as wintbp.exe and modifies the registry to execute this copy at each Windows start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\wintbp.exe = "wintbp.exe"
It also creates and launches a batch file to delete the original executable. The batch file is created in the %Temp% folder, using a name in the form "`number`.bat", where `number` is a random 3 digit number from 100 to 999, eg. "257.bat". After it has deleted the original worm copy, the batch file deletes itself. |
|
|
|
|
| |
|
|
|