Home / malwarePDF  

Win32.Worm.Zotob.A


First posted on 21 November 2011.
Source: BitDefender

Aliases :

Win32.Worm.Zotob.A is also known as Zotob.

Explanation :

The virus comes packed with UPack and it is about 22KB in size. The virus uses a PNP exploit on port 445 to spread.

At startup, the virus disables (if present) the Windows XP SP2 firewall, registers itself with Windows to be run at every system startup and copies itself in the %SYSDIR% directory. Also, the virus will overwrite the DRIVERSETCHOSTS file, disabling the update of most antiviruses.

The virus has two major components: a FTP server and the "search and exploit" thread. First the virus starts the FTP server. It gets the IP of the current computer and masks out the first two components (for example: 192.168.0.1 is splitted in 192.168 and 0.1: the first two groups will remain constant, but the last two will be generated randomly to search for computers in the local area network). The virus will then "ping" the generated IP to see if indeed there is a computer there, and then it will try to exploit it. If the exploit is succesful, a Microsoft Batch File (.bat) will be dropped that will download via FTP the virus from the exploiting's computer IP and start it on the victim computer.

The virus will send it's current operational status via IRC to his creator's channel (for example after a succesful exploit and infection) and also the virus will accept commands from it's creator via IRC. It can also be updated via IRC/HTTP to a newer version.

Last update 21 November 2011

 

TOP