|
Description:
As of August 16, 2005 at 5:12 PM (Pacific Daylight Time), TrendLabs has declared a Medium Risk alert in order to control the spread of this ZOTOB variant. Infection reports have been received from Brazil and the United States.
To get a one glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.
Malware Overview
This memory-resident worm takes advantage of the Microsoft Windows Plug and Play vulnerability to propagate across networks. For more information regarding this vulnerability, please refer to the following Microsoft Web page:
It exploits the target system through port 445. It initiates an FTP server on the affected system. The affected system then opens a remote shell on port 7778 and creates an FTP script through the remote shell.
When the exploit code encounters an error on the target machine, it causes SERVICES.EXE, which holds most of the system services, to terminate. This in turn causes the target machine to shut down.
Note that this propagation routine works only on Windows NT and 2000, because the Microsoft Windows Plug and Play vulnerability has inherent characteristics that prevent this worm from exploiting it on Windows XP and Server 2003.
This worm checks for a certain vaue in the system registry. If this value is found then it displays the following message box:
This worm has backdoor capabilities. It opens random ports and connects to an IRC server and join a specific channel, where a remote user can then perform malicious actions on the affected machine, including terminating processes and downloading files.
This worm launches a thread designed to remove certain malware and spyware from the system. It does this by going through a cycle of process termination, file/folder deletion, and registry cleanup.
For additional information about this threat, see:
Solution
Technical Details
Description created: Aug. 16, 2005 1:39:13 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
