Malware type: Worm

Aliases: Net-Worm.Win32.Mytob.ch (Kaspersky), W32/Zotob.worm.c (McAfee), W32.Zotob.C@mm (Symantec), Worm/Zotob.C (Avira), W32/Zotob-C (Sophos), Worm:Win32/Zotob.C!CME-581 (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

To get a one-glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below:

Malware Overview

Upon execution, this memory-resident worm drops a copy of itself as PER.EXE in the Windows system folder.

This worm takes advantage of the Microsoft Windows Plug and Play vulnerability to propagate across networks. For more information regarding the said vulnerability, refer to the following Microsoft Web page:

Microsoft Security Bulletin MS05-039

Note that the said propagation routine works only on Windows NT and 2000 because the Microsoft Windows Plug and Play vulnerability has inherent characteristics that prevent this worm from exploiting it on Windows XP and Server 2003.

This worm initiates an FTP server on an affected machine on port 33333. The exploit code (MS05-039) downloads a copy of this worm via the said port.

It generates IP addresses, and checks each of these target addresses if its port 445 is open, regardless of whether the target machine is vulnerable to the MS05-039 exploit or not. If port 445 is open, then this worm attempts to use the MS05-039 exploit to gain access to the target machine.

If access is gained, this worm drops a script that downloads a copy of itself named HAHA.EXE from the FTP server.

This worm also propagates via email. It sends a copy of itself as an attachment to an email message, which it sends to target addresses using its own Simple Mail Transfer Protocol (SMTP) engine.

The email it sends has the following details:

Subject: (any of the following)
• **Warning**
• Confirmed...
• Hello
• Important!
• Warning!!

Message body: (any of the following)
• 0K here is it!
• hey!!
• Looooool
• That's your photo!!?
• We found a photo of you in ...

Attachment: (using any of the following file names)
• image
• loool
• Photo
• picture
• sample
• webcam_photo
• your_photo

(with any of the following extensions)
• BAT
• CMD
• EXE
• PIF
• SCR
• ZIP

It gathers target email addresses from the Windows Address Book (WAB). It may also generate email addresses by combining a particular list of names with a domain name copied from the harvested addresses in the WAB.

This worm also has backdoor capabilities. It connects to a particular Internet Relay Chat (IRC) server via port 8080. Once a connection is established, it joins a specific IRC channel, where it listens for commands coming from a remote malicious user.

It modifies the system's HOSTS file, which contains host name to IP address mappings, to prevent affected users from accessing certain antivirus Web sites.

Moreover, this worm adds the following lines that appear to be messages addressed to antivirus companies:

Botzor2005 Made By .... Greetz to good friend Coder. Based On HellBot3

MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!

For additional information about this threat, see:
Solution
Technical Details

Description created: Aug. 15, 2005 12:57:52 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.