Watch out for the W32.Zotob.E & W32.Esbot.A virus

Status
Not open for further replies.

EricB

Chillin Techie
Messages
11,861
Location
USA
they must be dangerous because they were on the news and all of the A/V makers have sent out bulletins

W32.Zotob.E
W32.Zotob.E is a worm that opens a back door and exploits the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039) on TCP port 445. W32.Zotob.E can run on, but not infect, computers running Windows 95/98/Me/NT4/XP. Although computers running these operating systems cannot be infected, they can still be used to infect vulnerable computers that they can connect to.


W32.Esbot.A
W32.Esbot.A is a worm that spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039).
Note: Virus definitions were posted on August 15th for this threat.


http://www.nod32.com/home/home.htm
http://securityresponse.symantec.com/avcenter/tools.list.html
http://www.avast.com/eng/win_zotob.html
http://www.grisoft.com/doc/Updates/lng/ww/tpl/tpl01


Kaspersky Lab said:
The biggest virus epidemic since Sasser and Mydoom? Kaspersky Lab comments on the current situation

Kaspersky Lab, a leading developer of secure content management solutions that protect against viruses, Trojans, spyware, spam and hacker attacks, has the following statement regarding the malicious programs Zotob / Bozori.

A large number of international publications have issued information about a virus that has infected the networks of many major corporations and caused the biggest epidemic of the year. According to reports broadcast on CNN, ABC News, the NY Times and the US Congress have been affected. Other publications have reprinted this information, including the Russian media. There is some confusion as to what is actually happening, and the name(s) of the virus.

We have established that the media are describing an incident caused by a worm, which has the following names:

* Zotob.e (Symantec)
* WORM_RBOT.CBQ (Trend Micro)
* IRCBot.Worm (McAfee)
* Tpbot-A (Sophos)
* Net-Worm.Win32.Bozori.a (Kaspersky Lab)
* Zotob.d (F-Secure)

Kaspersky Lab was among the first antivirus companies to detect this virus, and an urgent update was issued at 01:50 Moscow time (GMT+4), today (17 August 2005). It should also be noted that the Virus Laboratory did not receive notification either from Russian or overseas users about infections caused by this worm. There has not been any noticeable increase in network activity which could be ascribed to this worm. During the Sasser epidemic (some media are comparing the current situation to the Sasser epidemic) in May 2004, which some publications are using as a comparison for Bozori.a, Sasser caused an increase in network traffic of approximately 20% to 40%. At the moment, there are no signs of a similar increase.

This worm exploits the Plug n Play vulnerability in Microsoft Windows (MS05-039) for which a patch was issued on 9 August 2005. It can be downloaded from Microsoft's site at http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

Since the patch was issued, approximately 10 malicious programs which exploit this vulnerability to spread have been detected. Three Mytob variants (.ce, .cf, .ch) which some antivirus companies called Zotob. The media has published information about these, some of which appears to be speculation which was not supported by any factual evidence of an epidemic. Several Trojan .bot programs have also been detected, from the Rbot and IRCBot families. None of these .bots have caused any significant epidemic.

Kaspersky Lab has no concrete information from users confirming infection by Bozori.a. This and the other facts given above would seem to confirm that at the moment, there is no epidemic.

A description of Net-Worm.Win32.Bozori.a is available in the Virus Encylopaedia.
 
mmm.. with that much text, i still don't read how the hell do i get that virus in the first place.. does it spread by p2p/webpage/msn or some other means?

and if the virus can run on but not infect Windows 95/98/Me/NT4/XP, then what the hell is NY Times and the US Congress running? Windows 3.1?
 
we have to be more concern about W32.Esbot.A.

I guess the other one is for non windows based software
 
EricB said:
we have to be more concern about W32.Esbot.A.

I guess the other one is for non windows based software

mmm.. Then i'm betting that the author forgot to think how many people are using windows then :D

but it still doesn't answer the question of how it spread..
 
copied from a link above

is an internet worm, using the Windows bug MS05-039 (Plug and Play Buffer Overflow, http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx) to penetrate the computer. This worm doesnÂ’t spread by email.

The worm creates 300 threads that connect to random IP addresses. First it tests connection to port 445 and if successful, it tries to exploit the vulnerability. If the attack is successful, a shell (cmd.exe) is started on port 8888. Through the shell port, the worm sends a ftp script which instructs the remote computer to download and execute the worm from the attacker computer using FTP.

The file named "botzor.exe" is created in the system folder (one of C:\Windows\System, C:\Windows\System32, C:\WinNT\System32 depending on the Windows version) on an infected computer. Few registry keys are modified. The worm is activated by the registry item "WINDOWS SYSTEM" with the value "botzor.exe" in the keys:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

The "Shared Access" service is disabled by putting the value "4" to "Start" item of the key:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess

This service is required for Windows firewall function.

The worm runs an FTP server on the port 33333, and opens IRC connection to the server diabl0.turkcoders.net. This IRC connection might by used for remote control of the infected computer.

Win32:Zotob-B is like Zotob, but the worm file is named "csm.exe" and the registry item is named "csm Win Updates".

The Win32:Zobot-C file is named "per.exe". This version spreads also by email, in addition to the exploit infection channel. It collects mail addresses on the infected computer, and combines new addresses from found domains and list of names that is part of the worm. The infected mail has one of the following subjects "Confirmed...", "Hello", "Important!", "**Warning**", "Warning". The mail body could contain one of the folowing texts "hey!!", "looooool", "OK here is it!", "ThatÂ’s your photo!!?", "We found a photo of you in...". The infected attachment can have one of extension .bat, .cmd, .exe, .pif or .scr and one of the names "image", "loool", "photo", "picture", "sample", "webcam photo", "your photo".

The Win32:Zotob-D uses the name "windrg32.exe". The worm file is saved to the subfolder "wbev" of the system folder, for example C:\Windows\System32\Wbev\windrg32.exe. It connects to few IRC servers. The worm tries to end processes with the names "botzor.exe", "cmesys.exe", "csm.exe", "cxtpls.exe", "ebatesmoemoneymaker.exe", "nhupdater.exe", "pnpsrv.exe", "qttask.exe", "realsched.exe", "viewmgr.exe", "winpnp.exe". It adds item named "WinDrg32" with the value "%system%\wbev\windrg32.exe" to the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. It deletes items of few different adwares and older versions of Zotob from this key and the key HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\RunOnce. It also deletes files and folders of those adwares.

Win32:Zotob-E uses filename "wintbp.exe". The item in the HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run key is named "wintbp".
 
Originally posted by Columbus Dispatch
COMPUTER VIRUSES
Businesses taking hit as hackers copy worms
Thursday, August 18, 2005
Leslie Brooks Suzukamo
KNIGHT RIDDER NEWSPAPERS
Advertisement Click to learn more... Advertisement

ST. PAUL, Minn. — An Internet shootout is going on between rival computer-worm gangs this week, and major U.S. businesses got riddled in the crossfire, security experts said.

A computer worm dubbed Zotob infects computers using MicrosoftÂ’s Windows 2000 operating system that were not protected by a software patch Microsoft put out last week. Windows 2000 is used mostly by large businesses, and the Zotob outbreak is not as big a threat as 2003Â’s massive Blaster eruption, anti-virus vendors said yesterday.

But Zotob went prime-time Tuesday when it crippled several major media companies, including ABC, CNN and the New York Times. ABC News said its reporters used electric typewriters to write their broadcasts when their computers shut down.

Zotob also highlighted trends that worry security experts: First, the Zotob worm appeared Sunday, only four days after Microsoft Corp. warned of a security hole in Windows 2000 and urged its customers to patch it.

Not so long ago, it took weeks or months for worm writers to take advantage of a security hole, but a Russian hacker took only two days to post on the Internet an "exploit code." This is not a worm itself but a blueprint for writing the worm that takes advantage of the vulnerability, said Graham Cluely, a senior technology consultant for Sophos Anti-Virus, a firm based in Oxford, Britain.

"Microsoft must be furious that the exploit code was published so quickly," Cluely said.

A series of bad worm outbreaks in the past has taught businesses to patch promptly, but many need time to test the software patches to make sure they do not disrupt productive applications, experts said.

"Most of the time it’s not a matter of being too slow — it’s a matter of being careful," said Aric Bandy, vice president of customer service at Techies Outsourced IT in St. Louis Park, Minn., an outsourcing firm for small to midsized businesses.

Microsoft releases patches on a monthly schedule, and the lack of a major outbreak may have let people become "relaxed or complacent about applying patches," said Rick Greenwood, chief technology officer for Shavlik Technologies, a Roseville, Minn., firm that makes software to manage computer patches from Microsoft.

Microsoft released a statement Tuesday rating Zotob a "low threat" for its customers.

The second trend that security experts noticed is that a host of particularly aggressive new computer worms appeared this week from multiple sources.

When a worm from one source found a computer that was infected with a worm from another, it removed or disabled the rival worm to hijack the machine for itself, they said.

"ThereÂ’s a dozen of these things going around and whatÂ’s interesting is they are fighting one another," Cluely said. "We think each is controlled by a different gang." There is no way to tell who is sending the worms, he said.

The gangs may be trying to assemble "zombie computers" that disable Web sites by overloading them with junk data or steal passwords, bank account numbers or other sensitive information in identity-theft schemes, security experts said.

Some experts expect the Zotob outbreak to taper off, but Greenwood said he believes it will continue to grow. Employees who work on laptop computers may bring the worm in on their machines behind their companyÂ’s firewall when they return to the office, he said.
 
Courtesy of NOD32

Press Release Source: ESET

ESET Emphasizes the Importance of Proactive Protection to Prevent Outbreaks Like Zotob
Monday August 22, 9:00 am ET
ESET Customers Were Protected Before the Worm Was Released; Company Offers Free Downloadable Remover to Those Infected

SAN DIEGO--(BUSINESS WIRE)--Aug. 22, 2005-- ESET, a global security software solutions company providing next-generation malware protection, maintains that organizations that implement proactive anti-threat solutions could have averted the effects of threats like Zotob. The first worm surfaced on Sunday and seemed to have faded by Monday. However, several variants and another new worm were subsequently identified. Despite the onslaught of new detections, ESET's customers were protected from this threat before the worm was even released. ESET's NOD32 anti-threat solution uses unique ThreatSense(TM) technology, which employs behavior-based analysis to detect malicious threats.

ADVERTISEMENT
Win32/Zotob is a variant of the Win32/Mytob worm, but does not spread through email; instead, it exploits the MS05-039 plug-and-play vulnerability on port 445 on Windows 2000 systems. Serious cases of infection have only affected companies running on the Windows 2000 platform, including some of the largest U.S. media companies like CNN, ABC, and The New York Times.

"As seen by the recent damage caused at major corporations like ABC and The New York Times, near-zero day attacks are on the rise and patches simply cannot offer immediate protection," said Andrew Lee, chief technology officer, ESET. "The importance of real-time malware protection is clear. ESET's customers' systems were not impacted by this fast-moving threat because the malicious behavior of Zotob was detected and reported at its onset."

ESET is providing a free remover for any infected systems not protected by its NOD32 anti-threat software. The remover can be downloaded at www.eset.com.

ESET's Virus Radar, a real-time malware tracking tool, identified the new Zotob worm using NOD32. Virus Radar provides site visitors with easy access to in-depth analysis of the latest malicious outbreaks and processes approximately four million email messages per day to provide information such as the exact date a virus was first detected and its current detection rate. Virus Radar is also capable of tracking the progression of a single virus over a given period -- in some instances from the earliest heuristic detection of a new virus to the point where the virus disappears.

About ESET
 
Status
Not open for further replies.
Back
Top Bottom