| VID |
24087 |
| Severity |
40 |
| Port |
8888 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
The backdoor of the Zotob worm seems to be installed on the system. W32.Zotob.A is a worm that spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039). When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script (2pac.txt is the script file name) and launching FTP.EXE to download and execute the worm from the source system (via TCP port 33333, haha.exe is fetched). The W32.Zotob.A has the following features:
- It includes backdoor capabilities (TCP port 8888).
- It may be remotely controlled, via Internet Relay Chat (IRC) channels.
- The worm creates the file botzor.exe in the WINDOWS SYSTEM directory and registry run keys are created to load the worm at startup.
- The HOSTS file is appended to block access to anti-virus websites.
- The Zotob family also disables the Windows Update service.
* References:
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.a.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=135467
* Platforms Affected:
Microsoft Windows Any version |
| Recommendation |
Remove this Worm immediately. Most antivirus software companies have updates their software to keep W32.Zotob.A at bay, so you should download any available updates through its Live Update feature and remove the W32.Zotob.A using antivirus software.
-- AND --
You ensure that all patches for the Microsoft Windows are applied in order to minimize the threat of a system compromise. And enforce a password policy for all user accounts. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
