Zotob.A Virus Worm Patch

patch virus zotob
virus worm zotob
computer virus zotob

Zotob.A is a Mytob w32 virus that spreads using a vulnerability in Windows Plug and Play service.

The worm is a packed PE executable file 22528 bytes long. When run, the Zotob virus worm copies under "SYSTEM" directory using the name botzor.exe and creates a named mutex BOTZOR for making sure that only one copy of the worm is run at the same time.

Then it adds the following registry entries to ensure that it is started when a user logs on or the system is restarted:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"WINDOWS SYSTEM" = botzor.exe

The Zotob.A worm also adds the following registry key for diasabling shared access service: [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess]
"Start" = "4"

The worm scans for systems vulnerable to Microsoft Windows Plug and Play service (MS05-039) through TCP/445.

It creates 300 threads that connect to random IP addresses within the B-class (255.255.0.0) network of the infected system. First it tests connection to port 445 and if successful, it tries to exploit the vulnerability. If the attack is successful a shell (cmd.exe) is started on port 8888. Through the shell port, the Zotob.exe worm sends a ftp script which instructs the remote computer to download and execute the worm from the attacker computer using FTP. The FTP server listens on port 33333 on all infected computers with the purpose of serving out the worm for other hosts that are being infected. The downloaded file is saved as 'haha.exe' on disk.

Here's the summary of the ports used in attack:
Port 445 - The worm scans for systems vulnerable to PnP exploit through this port.

Port 33333 - FTP server port on infected systems
Port 8888 - The command shell port opened by the exploit code
The exploit uses fixed offsets inside Windows 2000 version of umpnpmgr.dll. This means that only Windows 2000 systems (SP0-4) are affected.

Please see the following page for detailed information on the vulnerability:
http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

The worm tries to connect to IRC channel at predefined address. The attacker who knows channel password can instruct the bot to execute the following actions: Disconnect/reconnect from the IRC channel
Request system information
Download and execute files
Remove Zotob.A virus worm from the system
Manipulate system security settings

Other details
Zotob.A modifies system hosts file in order to disable access to certain sites. Following hostnames are redirected to localhost IP address (127.0.0.1):

...Where nothing can possibli go wrong!

Remember the 1973 film classic, Westworld? A story about a computer virus 20 years before anyone had heard of 'em. Please watch a little clip from the movie by clicking here.

Latest Computer Viruses

Melissa Virus
Sony Stinx
Novarg
Shimgapi.dll
Mydoom
Bagle Worm
Winmgm32.exe
Bugbear Virus
msvxd.exe
jdbgmgr.exe
Bear Virus
Teddy Bear Virus
iFrame Exploit
Elkern
FunLove.gen
Panda Virus
Tufast Worm
Slapper Worm
Zotob.A
Sdbot Worm
Elitebar Removal
Rbot Worm
Haxdoor
Stinger Virus Removal
Aurora Virus Removal
Dropper Trojan
bloodhound virus removal tool
lsass virus Removal
Mytob

W32 Virus
Win32 Virus
LoveLetter
AIM Trojan
Back Door Trojan
Swen Gibe Worm
Back Orifice
VBS Virus
Wink Virus
msblast.exe
Remove DRM from WMV
Supernova Worm
Spybot W32 Worm
Exploit-mime.gen.exe
Spybot Search & Destroy 1.3
Bridge.dll
London Bombing Trojan
DSO Exploit
SMSC.exe Spyware Worm
Sndvol32.exe
Wintbp.exe
Botzor.exe
Zotob Virus Worm Patch
Svchost.exe Error
Cryzip Trojan Virus
Tsunami Worm

Books, Software

More Information

Linux Anti Virus
Virus Hoax
Computer Worm
Anti Trojan
Trojan Remover
Keylogger Software
Trojan Virus Scan

Bugbear Removal
Anti Spam Filter
Online Virus Scans
Computer Virus Books
Bypass Websense
Free Online Virus Scan
Email Virus

Email Us | Site Map | Links