Zotob details



Here are some details on the zotob worm (s) culled from several sources….

It copies itself to the Windows system folder as BOTZOR.EXE, it modifies the hosts file to frustrate attempts to access antivirus sites. The .b variant copies itself as csm.exe in the Windows System folder. Both variants create a Mutex so that only one copy can run at a time.

According to Sarc the .b variant adds
“csm Win Updates” = “csm.exe”
to the registry at two locations

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

so that it runs at Windows boot. It also modifies
“Start” = “4”

to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
disabling shared access.

It opens an ftp server on port 33333 (TCP), tries to connect to an IRC server to allow remote control of the PC, attempts to spread within the local subnet.

Also it drops 2pac.txt and haha.exe in the system folder.

The host file modifications are as follows:

11. …. Made By …. Greetz to good friend [REMOVED] in the next 24hours!!!

127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com

This covers a wide net of sites (Amazon Paypal Ebay) beyond the usual security/antivirus sites.

The only difference I can see between .a and .b is the name of the executable (botzor.exe and csm.exe)

News.com also has more coverage.

   Send article as PDF   

Similar Posts