Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » Zotob.B

Overview

Threat Risk MEDIUM MEDIUM
Destructivity MEDIUM MEDIUM
Payload
Detection files published
Description created 17 Aug 2005 01:50:00
Description updated 17 Aug 2005 01:50:00
Malware type WORM
Alias
Spreading mechanism NETWORK
Summary None

Zotob.B

Spreading

When Zotob.B is first run, it copies itself to the %WINDIR% folder as csm.exe.  It also creates the following entries in the registry to ensure it gets started with Windows:  HKLM\Software\Microsoft\Windows\CurrentVersion\Run\csm Win Updates = csm.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\csm Win Updates = csm.exe The worm then tries to connect to random IP addresses, and if successful, will try to exploit the plug and play service on the remote machine, in order to create a remote command shell. The worm then instructs the client to download a copy of itself via an FTP server on the infected machine. Once this is done, the client will execute its copy of the worm.

Payload Details

Zotob.B will attempt to disable the Windows XP firewall, and Internet Connection Sharing.The worm also appends the following entries to the hosts file, in order to prevent access to certain websites:www.symantec.comsecurityresponse.symantec.comsymantec.comwww.sophos.comsophos.comwww.mcafee.commcafee.comliveupdate.symantecliveupdate.comwww.viruslist.comviruslist.comviruslist.comf-secure.comwww.f-secure.comkaspersky.comkaspersky-labs.comwww.avp.comwww.kaspersky.comavp.comwww.networkassociates.comnetworkassociates.comwww.ca.comca.commast.mcafee.commy-etrust.comwww.my-etrust.comdownload.mcafee.comdispatch.mcafee.comsecure.nai.comnai.comwww.nai.comupdate.symantec.comupdates.symantec.comus.mcafee.comliveupdate.symantec.comcustomer.symantec.comrads.mcafee.comtrendmicro.compandasoftware.comwww.pandasoftware.comwww.trendmicro.comwww.grisoft.comwww.microsoft.commicrosoft.comwww.virustotal.comvirustotal.comwww.amazon.comwww.amazon.co.ukwww.amazon.cawww.amazon.frwww.paypal.compaypal.commoneybookers.comwww.moneybookers.comwww.ebay.comebay.com

Analysis

n/a

Removal

Zotob.B is detected and removed with definition files later than 17 August 2005.


Last Updated: 12 Nov 2015 11:06:15