 |
 |
 |
|
 |
 |
 |
|
 |
|
|
|||||||||
|
W32.Zotob.EBrief Description | Characteristics | Recovery | Protection | Further InformationBrief Description: -------------------- W32.Zotob.E is a worm that exploits the Windows Plug-n-Play vulnerability that you've seen recent announcements about. It opens a backdoor and attempts to spread to other vulnerable machines on internal and external networks. We have not had any reports of this worm appearing on campus yet although it has been spreading pretty rapidly worldwide. Characteristics: ------------------ When W32.Zotob.E is executed, it performs the following actions: 1 Creates the mutex "wintbp.exe", so that only one copy of the worm runs at one time. 2 Copies itself as %System%\wintbp.exe. Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). 3 Adds the value: "Wintbp.exe" = "wintbp.exe" to the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run so that it runs every time Windows starts. 4 Attempts to detect network connections and a routable IP address. The worm may fail to operate correctly if it determines it is not connected to a network or if the computer's IP address is non-routable. 5 Attempts to connect to the IRC server 72.20.27.115 on TCP port 8080 to listen for the following commands: • Download and execute remote files • Terminate the worm and delete the file from the compromised computer 6 Opens UDP port 69 to initiate TFTP. 7 Sends packets to IP addresses generated at random based on the IP address of the compromised computer. The IP addresses generated use the first 2 octets of the compromised computer, and randomly generated values for the third and fourth octets. The worm will begin to generate entirely random IP addresses after 32 failures on local IPs or after 512 failures, if it was successful at least once. 8 Attempts to spread by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039), using TCP port 445. 9 If successful, the exploit code will open a back door using TCP port 8594 on the remote computer. 10 Sends the file %Temp%\[NUMBER].bat to the target computer via the back door. This file contains a TFTP script that will download a copy of the worm from the compromised computer. Note: • [NUMBER] represents several random numbers from 0 - 9 • %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000). 11 Saves this file as %Windir%\a[NUMBER].exe on the target computer and executes it. Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt. 12 Logs the successfully exploited IP addresses to the IRC server 72.20.27.115. Recovery: ----------- Given that this worm/trojan combination compromise machines on a system-level, formatting infected machines is recommended. A full system format is the only way to completely ensure network and data security after a compromise such as this. Protection: ------------ To prevent machines from being infected or targeted, you must install the patch for the Plug-n-Play vulnerability. There are different patch downloads depending on operating system and service pack level. For full details and downloads, see the following page. http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx Symantec virus definitions dated 8/16/2005 revision y (25) or later will detect this worm. Instructions on how to update NAV definition files are located at: http://www.upenn.edu/computing/help/doc/virus/nav/winnavupdate.html Further information: ----------------------- For further information regarding W32.Zotob.E see the following sites. http://www.symantec.com/avcenter/venc/data/w32.zotob.e.html http://www.f-secure.com/v-descs/bozori_a.shtml http://vil.nai.com/vil/content/v_135491.htm http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.CBQ http://www.sophos.com/virusinfo/analyses/w32tpbota.html |
|
 |
|
|
 |
|
| Information Systems and ComputingUniversity of PennsylvaniaComments & Questions |
 |
|