|
Home > Virus > Worms > W32.Zotob.D
Virus Name: W32.Zotob.DAliases: Worm:Win32/Zotob.D, WORM_ZOTOB.D, Win32/Sdbot.worm!MS05-039, IRCBot.et, W32/Dogbot-A
Zotob is a memory-resident worm, which copies itself to the Windows System folder as Windrg32.exe, and uses the Microsoft Windows Plug and Play Buffer Overflow Vulnerability to spread across networks. Zotob creates a registry key to run its copy on start-up, contains a backdoor, and can follow commands from remote users. It tries to camouflage the IRC commands it sends out by also sending out Internet url's randomly gathered from any RSS feeds it finds. And it exploits target systems' TCP port 445, initiates an FTP server on TCP port 1117, and opens a remote shell on TCP port 7778. Zotob also tries to terminate services.exe, which can lead to a shut down of the machine, and checks for a known value in the registry. If Zotob finds this value, it displays a message box with "Drudgebot" as its title and the number 27 above an okay button. Finally, Zotob attempts to delete other malware and spyware from the infected system and from its registry too.
Copyright (c) 2005, 2008 A. Ryan Robbins. All Rights Reserved.
|
|
|