Proactive IT Security
Zotob.B
Threat risk
Threat risk medium
|
Detection files published:
17 Aug. 2005 |
Description created:
2005-08-17 |
Description updated:
2005-08-17 |
|
Alias:
|
Spreading mechanism
Network | |
|
Payload:
| ||
Summary
Zotob.B is a worm that exploits a vulnerability in the Windows Plug and Play service (MS05-039) in order to propagate.
Spreading description
When Zotob.B is first run, it copies itself to the %WINDIR% folder as csm.exe.
It also creates the following entries in the registry to ensure it gets started with Windows:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\csm Win Updates = csm.exe
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\csm Win Updates = csm.exe
The worm then tries to connect to random IP addresses, and if successful, will try to exploit the plug and play service on the remote machine, in order to create a remote command shell. The worm then instructs the client to download a copy of itself via an FTP server on the infected machine. Once this is done, the client will execute its copy of the worm.
Threat description
Zotob.B will attempt to disable the Windows XP firewall, and Internet Connection Sharing.
The worm also appends the following entries to the hosts file, in order to prevent access to certain websites:
- www.symantec.com
- securityresponse.symantec.com
- symantec.com
- www.sophos.com
- sophos.com
- www.mcafee.com
- mcafee.com
- liveupdate.symantecliveupdate.com
- www.viruslist.com
- viruslist.com
- viruslist.com
- f-secure.com
- www.f-secure.com
- kaspersky.com
- kaspersky-labs.com
- www.avp.com
- www.kaspersky.com
- avp.com
- www.networkassociates.com
- networkassociates.com
- www.ca.com
- ca.com
- mast.mcafee.com
- my-etrust.com
- www.my-etrust.com
- download.mcafee.com
- dispatch.mcafee.com
- secure.nai.com
- nai.com
- www.nai.com
- update.symantec.com
- updates.symantec.com
- us.mcafee.com
- liveupdate.symantec.com
- customer.symantec.com
- rads.mcafee.com
- trendmicro.com
- pandasoftware.com
- www.pandasoftware.com
- www.trendmicro.com
- www.grisoft.com
- www.microsoft.com
- microsoft.com
- www.virustotal.com
- virustotal.com
- www.amazon.com
- www.amazon.co.uk
- www.amazon.ca
- www.amazon.fr
- www.paypal.com
- paypal.com
- moneybookers.com
- www.moneybookers.com
- www.ebay.com
- ebay.com
Removal
Zotob.B is detected and removed with definition files later than 17 August 2005.
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Usage | Title | Comment |
|---|---|---|
| Stopping network share infectors | ||
| Cleaning of back-up folders on Windows Me and XP |
