|
Description:
To get a one-glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.
Malware Overview
This memory-resident worm drops a copy of itself in the Windows system folder as BOTZOR.EXE.
This worm takes advantage of the Microsoft Windows Plug and Play vulnerability to propagate across networks. For more information regarding this vulnerability, refer to the following Microsoft Web page:
It initiates an FTP server on the infected machine on port 33333. The exploit code (MS05-039) downloads a copy of this worm via the said port.
This worm scans IP addresses using port 445 for vulnerable machines. Once this worm detects an unpatched system, it drops a script that downloads a copy of this worm, named HAHA.EXE, from the FTP server.
Note that this propagation routine works only on Windows NT and 2000, because the Microsoft Windows Plug and Play vulnerability has inherent characteristics that prevent this worm from exploiting it in Windows XP and Server 2003.
This worm also modifies the system's HOSTS file, which contains host name to IP address mappings. It adds several lines in order to prevent access to certain antivirus Web sites.
Moreover, this worm adds the following lines that appear to be messages addressed to antivirus companies:
Botzor2005 Made By .... Greetz to good friend Coder. Based On HellBot3
MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!
This worm also has backdoor capabilities, which enable it to connect to the Internet Relay Chat (IRC) server diabl0.turkcoders.net via port 8080. Once a connection is established, it joins a specific IRC channel, where it listens for commands coming from a remote malicious user.
For additional information about this threat, see:
Solution
Technical Details
Description created: Aug. 14, 2005 6:30:32 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
