|
Important Email Virus Alert
W32.Zotob.L
Virus Characteristics: W32.Zotob.L is a worm that opens a back door and exploits various vulnerabilities. The worm spreads by exploiting vulnerabilities, including the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039).
Type: Worm | Infection Length: 178,176 bytes | Systems Affected: Windows 2000/95/98/Me/NT/XP
Technical Details:
When executed, W32.Zotob.L performs the following actions:
- Creates the following mutex so that only one copy of the worm runs on the compromised computer at one time: beegees
- Copies itself as %System%\windbg32.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- Adds the value:
"Windows Debugger" = "windbg32.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
so that it runs every time Windows starts.
- Connects to an IRC server on the p.wallload.com domain on TCP port 8080 to listen for IRC commands that allow the attacker to perform the following actions:
- Download and execute files from the IRC server.
- Delete the worm from the compromised computer.
- Attempts to exploit the following vulnerabilities in order to spread:
Removal Tool:
For more information and/or a removal tool visit:
|
