MyCERT Advisories


MyCERT Advisories, Alerts and Summaries for the year 2005

MA-094.082005: MyCERT Special Alert - W32.Zotob Worm

Original Issue Date: 17th August 2005

Introduction

MyCERT received information from various reliable sources regarding the circulation of a particular worm and its variants, known as the W32.Zotob worm. Most anti-virus vendors had rated the W32.Zotob worm as LOW in infection rating and MEDIUM in damage rating. Based on the reports MyCERT received, we have seen no indication of widespread impact of this worm to the Internet infrastructure in Malaysia, yet.

Brief Description

The W32.Zotob worm has 5 variants, as of now:

  1. W32.Zotob.A discovered on 13th August (UTC Time)
  2. W32.Zotob.B was discovered on 14th August 2005 (UTC time)
  3. W32.Zotob.C@MM was discovered on 15th August 2005 (UTC Time)
  4. W32.Zotob.D was discovered on 16th August 2005 (UTC Time)
  5. W32.Zotob.E was discovered on 16th August 2005 (UTC Time)

The worm spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability described in the below URL:

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

NOTE: the variant W32.Zotob.C is a mass mailing worm that opens a back door and exploits the Microsoft Windows Plug and Play Buffer Overflow Vulnerability which comes in attachments as pif, scr, exe, cmd, or bat file extension.

The worm targets vulnerable/unpatched Windows 2000 except for the W32.Zotob.C which targets Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP. The variants A,B,D,E can run on other platforms, but not infect them but they can still be used to infect vulnerable computers that they can connect to.

The worm propagates via TCP ports 445, 8080, and 33333.Please be informed that if your machine is unpatched with patch MS05 -039, the possibilities for you to be infected by other worm that use the same vulnerability is high. Rbot worm is another example of worm which uses the same vulnerability exploit. Once you are infected by Zotob worm, you also might be infected by Rbot worm. RBot worm represents the large family of backdoors - hacker's remote access tools. These tools allow to contol victims' computers remotely by sending specific commands via IRC channels. Also these backdoors can steal data, spread to local network and to computers vulnerable to exploits.

Please be informed that if your machine is unpatched with patch MS05-039, the possibilities for you to be infected by other worm that use the same vulnerability is high. Rbot worm is another example of worm which uses the same vulnerability exploit. Once you are infected by Zotob worm, you also might be infected by Rbot worm. RBot worm represents the large family of backdoors - hacker's remote access tools. These tools allow to contol victims' computers remotely by sending specific commands via IRC channels. Also these backdoors can steal data, spread to local network and to computers vulnerable to exploits.

Payload

  1. Allows unauthorized remote access ( W32.Zotob.A/W32.Zotob.B)

  2. Opens a back door (W32.Zotob.D/W32.Zotob.E)

  3. Attempts to detect network connections and a routable IP (W32.Zotob.E)

  4. Ends processes, some of which may be security-related (W32.Zotob.D)

  5. It may lead to machine or system instability. This is due to backdoor has been installed in the infected machine. Once the infected machine has been installed by the backdoor, the symptom of the infected machine might be varied depends on the hacker desired activities to the infected machine.

How to Tell if your Computer is Infected

  1. Presence of the worm related file in your system folder.

  2. Excessive network traffic over port 445.

  3. The infected machine which has already been embedded with the backdoor might has strange port opened. Please check the open port in your machine is the trusted and valid port.

  4. Internet Connection Firewall/Internet Connection Sharing service is disabled.

Detection

Scan the infected computer with an updated Anti-virus softwares to detect the presence of the worm on infected machine.

NOTE: Users MUST update their Anti-virus softwares in order to detect/delete the worm.

Removal Steps

The worm can be removed by using an automatic removal tool to clean up the infected machine.

  1. Disconnect the machine from the network.

  2. Apply the MS05-039 patch.

    NOTE: The patch can be obtained from a media (CD) downloaded from a clean machine.

  3. Run the automatic removal tool to clean the infected machine.

    The automatic removal tool can be downloaded at:

    Symantec
    http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.removal.tool.html

    NOTE: The removal tool canbe obtained from a media (diskette) downloaded from a clean machine.

  4. Re-scan the machine to confirm if it is clean.

  5. Re-connect the machine to the network.

Prevention

  1. Enable a personal firewall on your computer.
  2. Install the latest computer updates/patches.
  3. Use up-to-date antivirus software.

References:

  1. Symantec
    http://securityresponse.symantec.com

  2. Trend Micro
    http://www.trendmicro.com

  3. McAfee
    http://vil.nai.com

  4. F-Secure
    http://www.f-secure.com/weblog/

  5. Microsoft
    http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

MyCERT can be reached for assistance at:

Tel: 03-89961901
Fax: 03-89960827
Email: mycert@mycert.org.my
SMS: 019-2813801