Botzor.exe Patch Virus
Botzor.exe is an internet worm, using the Windows bug MS05-039 Plug and Play Buffer Overflow to penetrate the computer. This worm doesn’t spread by email.
The Botzor.exe worm creates 300 threads that connect to random IP addresses. First it tests connection to port 445 and if successful, it tries to exploit the vulnerability. If the attack is successful, a shell (cmd.exe) is started on port 8888. Through the shell port, the worm sends a ftp script which instructs the remote computer to download and execute the worm from the attacker computer using FTP.
The
file named "botzor.exe" is created in the system folder (one
of C:\Windows\System, C:\Windows\System32, C:\WinNT\System32 depending
on the Windows version) on an infected computer. Few registry keys are modified.
The
worm is activated by the registry item "WINDOWS SYSTEM" with
the value "botzor.exe" in the keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
The "Shared Access" service is disabled by putting the value "4" to "Start" item
of the key:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
This service is required for Windows firewall function.
The worm runs an FTP server on the port 33333, and opens IRC connection
to the server diabl0.turkcoders.net. This IRC connection might by used
for remote
control
of the infected computer.
Win32 Zotob-B is like Zotob, but the worm
file is named "csm.exe" and
the registry item is named "csm Win Updates".
The Win32:Zobot-C file is named "per.exe". This version spreads also
by email, in addition to the exploit infection channel. It collects mail addresses
on the infected computer, and combines new addresses from found domains and list
of names that is part of the worm. The infected mail has one of the following
subjects "Confirmed...", "Hello", "Important!", "**Warning**", "Warning".
The mail body could contain one of the folowing texts "hey!!", "looooool", "OK
here is it!", "That’s your photo!!?", "We found a photo
of you in...". The infected attachment can have one of extension .bat, .cmd,
.exe, .pif or .scr and one of the names "image", "loool", "photo", "picture", "sample", "webcam
photo", "your photo".
The Win32:Zotob-D uses the name "windrg32.exe". Botzor.exe worm file is saved to the subfolder "wbev" of the system folder, for example C:\Windows\System32\Wbev\windrg32.exe. It connects to few IRC servers. The worm tries to end processes with the names "botzor.exe", "cmesys.exe", "csm.exe", "cxtpls.exe", "ebatesmoemoneymaker.exe", "nhupdater.exe", "pnpsrv.exe", "qttask.exe", "realsched.exe", "viewmgr.exe", "winpnp.exe". It adds item named "WinDrg32" with the value "%system%\wbev\windrg32.exe" to the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. It deletes items of few different adwares and older versions of Zotob from this key and the key HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\RunOnce. It also deletes files and folders of those adwares.
Win32:Zotob-E uses filename "wintbp.exe". The item in the HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run key is named "wintbp".
Zotob.exe is a Mytob clone that spreads using a vulnerability in Windows Plug and Play service (MS05-039).
...Where nothing can possibli go wrong!
Remember the 1973 film classic, Westworld? A story about a computer virus 20 years before anyone had heard of 'em. Please watch a little clip from the movie by clicking here.
Latest Computer Viruses
Books, Software