Removal of W32.Zotbot Worm.gen
W32/Zotob.worm
Also Known As:
W32/Zotob.worm (McAfee)
W32/Zotob.worm.gen (McAfee)
W32.Zotob (Symantec)
W32/Bozor.A.worm (Panda)
WORM_MYTOB.JS (Trend Micro)
W32/Zotob-A (Sophos)
Zotob.A (F-secure)
Win32/Zotob.A!Worm (CA)
Net-Worm.Win32.Mytob.cd (Kaspersky)
Summary
Win32/Zotob is a network worm that primarily targets Microsoft Windows 2000 computers that do not have Microsoft Security Bulletin MS05-039 installed. MS05-039 patches the Windows Plug-and-Play buffer overflow vulnerability. Win32/Zotob can also infect computers running other Windows operating systems if it is delivered through e-mail, instant messaging, or other routes. The worm has a backdoor component that connects to an IRC server to receive commands from attackers.
Symptoms
There are no readily apparent indications that your computer is infected with a variant of Win32/Zotob. However, certain symptoms may indicate that your computer is infected by this worm. See the Win32/Zotob child variants for more information.
Technical Information
Win32/Zotob takes the following actions:
Copies itself to the Windows system folder.
Exits after running the copied worm file. The worm copy then takes the following actions:
Modifies the Windows registry so that the worm copy runs each time Windows starts.
Scans random IP addresses to establish connections with other computers. The worm sends exploit code to a remote computer when a connection is established. If the remote computer is running Windows 2000 and does not have MS05-039 installed, the exploit code causes the remote computer to download and run a copy of the worm.
Connects to an IRC server to receive commands such as the following from attackers:
Retrieve system information such as CPU speed, memory usage, Windows operating system, connection type, IP address, and Windows logon information.
Download and run files.
Remove the worm.
Modifies the Windows system hosts file,\drivers\etc\hosts, to block access to certain Web sites.
Disables the Internet Connection Firewall/Internet Connection Sharing service by modifying a registry key.
Certain Win32/Zotob variants can also perform actions such as the following:
Terminate other processes and delete certain files in the Windows system folder or Windows program files folder.
Register the worm as a service. This causes the worm to start as a service each time Windows starts, so that the worm continues running regardless of whether any user is logged on.
Monitor a specific port for requests. Upon receiving a request, the worm can send a copy of itself to another computer using a protocol such as TFTP.
Spread through e-mail by sending a copy of the worm as an attachment to e-mail addresses found on the infected computer.
Remove or disable certain adware, spyware, and malicious software applications.
This Malious Software can be removed using MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL
Download Now
W32/Zotob.worm
Also Known As:
W32/Zotob.worm (McAfee)
W32/Zotob.worm.gen (McAfee)
W32.Zotob (Symantec)
W32/Bozor.A.worm (Panda)
WORM_MYTOB.JS (Trend Micro)
W32/Zotob-A (Sophos)
Zotob.A (F-secure)
Win32/Zotob.A!Worm (CA)
Net-Worm.Win32.Mytob.cd (Kaspersky)
Summary
Win32/Zotob is a network worm that primarily targets Microsoft Windows 2000 computers that do not have Microsoft Security Bulletin MS05-039 installed. MS05-039 patches the Windows Plug-and-Play buffer overflow vulnerability. Win32/Zotob can also infect computers running other Windows operating systems if it is delivered through e-mail, instant messaging, or other routes. The worm has a backdoor component that connects to an IRC server to receive commands from attackers.
Symptoms
There are no readily apparent indications that your computer is infected with a variant of Win32/Zotob. However, certain symptoms may indicate that your computer is infected by this worm. See the Win32/Zotob child variants for more information.
Technical Information
Win32/Zotob takes the following actions:
Copies itself to the Windows system folder.
Exits after running the copied worm file. The worm copy then takes the following actions:
Modifies the Windows registry so that the worm copy runs each time Windows starts.
Scans random IP addresses to establish connections with other computers. The worm sends exploit code to a remote computer when a connection is established. If the remote computer is running Windows 2000 and does not have MS05-039 installed, the exploit code causes the remote computer to download and run a copy of the worm.
Connects to an IRC server to receive commands such as the following from attackers:
Retrieve system information such as CPU speed, memory usage, Windows operating system, connection type, IP address, and Windows logon information.
Download and run files.
Remove the worm.
Modifies the Windows system hosts file,
Disables the Internet Connection Firewall/Internet Connection Sharing service by modifying a registry key.
Certain Win32/Zotob variants can also perform actions such as the following:
Terminate other processes and delete certain files in the Windows system folder or Windows program files folder.
Register the worm as a service. This causes the worm to start as a service each time Windows starts, so that the worm continues running regardless of whether any user is logged on.
Monitor a specific port for requests. Upon receiving a request, the worm can send a copy of itself to another computer using a protocol such as TFTP.
Spread through e-mail by sending a copy of the worm as an attachment to e-mail addresses found on the infected computer.
Remove or disable certain adware, spyware, and malicious software applications.
This Malious Software can be removed using MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL
No comments:
Post a Comment