Operating System » MS Windows » Windows - Virus Protection » Alert: Computer Virus Outbreaks » Zotob Computer Virus

Zotob Computer Virus

WORM_ZOTOB (Bozori by Kaspersky) exploit of Microsoft security hole is a Mytob clone and of Rbot parentage that spreads using a vulnerability in Windows Plug and Play service that lets users easily install hardware on their PCs. The vulnerability was publicly disclosed Aug. 9 by Microsoft (MS05-039) which also comes with a free fix. But by 12 August 2005, someone had posted code that could be used to build a worm - a piece of malicious software that replicates over networks. By Sunday 14 August 2005, the first ZOTOB worm was released into the wild, continuing the trend of hackers increasing the speed with which they develop exploits. This exploitation is believed to be one of the fastest in the history of malware.

The updated detection tool from Microsoft which can be run from the Web or downloaded separately and it now detects and deletes 10 variations of the Zotob bot.

The ZOTOB worm drops a copy of itself into the Windows system folder as Botzor.exe and it modifies system’s Host files in the infected users’ computer so as to prevent the user from getting online assistance from certain anti-virus Web sites. The backdoor capabilities of the ZOTOB worm enable it to connect to a specific Internet Relay Chat (IRC) servers and allow hacker a remote control over affected system, which can be used to infect other machines in the network.

The Zotob virus attack Windows 2000 but according to Microsoft, PCs running Windows XP Service Pack 1 are also at risk if a file-sharing feature called "Simple File Sharing and ForceGuest" is enabled.

Technical Reference:

Zotob functions by installing a program inside a user’s Windows system (probably e-mail) and initiates an FTP (file transfer protocol) server on the user’s machine. Using that session, it then downloads a copy of itself and then scans IP addresses for other machines that do not have a security patch to block it. Here’s the summary of the ports used in attack:Zotob is a worm and backdoor Trojan for the Windows platform. Zotob spreads to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP (MS05-039). Zotob runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

  • Port 445 - The worm scans for systems vulnerable to PnP exploit through this port
  • Port 33333 - FTP server port on infected systems
  • Port 8888 - The command shell port opened by the exploit code

When first run W32 / Zotob-A copies itself to botzor.exe. The following registry entries are created to run botzor.exe on startup:

HKLM SOFTWARE Microsoft Windows CurrentVersion Run
WINDOWS SYSTEM - botzor.exe
HKLM SOFTWARE Microsoft Windows CurrentVersion RunServices
WINDOWS SYSTEM - botzor.exe

W32 / Zotob-A also sets the following registry entry:

HKLM SYSTEM CurrentControlSet Services SharedAccess - Start - 4

The worm may drop a file 2pac.txt. This is a text file that may be safely deleted. W32 / Zotob-A also appends new lines to the system HOSTS file in order to prevent access to certain websites:

127.0.0.1 symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 sophos.com
127.0.0.1 sophos.com
127.0.0.1 mcafee.com
127.0.0.1 mcafee.com

Check for and Remove the Zotob Infection:

Use the Microsoft Windows Malicious Software Removal Tool to search for and remove the Zotob worm and its variants from your hard drive. This tool checks for and removes infections from Zotob.A through Zotob.E as well as Bobax.O, Esbot.A, Rbot.MA, Rbot.MB, and Rbot.MC. It also checks for and removes all versions of malicious software that the tool has been updated to remove.

Updated On: 15.02.17

Leave your message, comment or feedback:
Your Name (shown) & Your E-mail (hidden) is used only to alert you when someone reply your message.