W32.Zotob.B


Aliases: CME-164, Mytob.IR, W32/Zotob.worm, W32/Zotob.worm.b, W32/Zotob-B, Backdoor.Win32.IRCBot.et
Variants: Win32/Mytob.IR, Win32/Zotob.A, Win32/Zotob.B!Worm, Worm.IRCBot.DL, Worm.Zotob.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 14 Aug 2005
Damage: Low

Characteristics: The W32.Zotob.B program is a worm and backdoor Trojan for Windows Platform that installs itself in a system registry. It spreads by exploiting the vulnerability of Microsoft Windows Plug and Play Buffer Overflow.

More details about W32.Zotob.B

The W32.Zotob.B is a self-executing worm that runs continuously in the system as a hidden application to provide a backdoor server which allows remote attackers to gain access and control over the machine. When the worm is activated, it starts up to 200 processes to search for other computers using TCP port 445, resulting to poor system performance. It also copies itself as an executable file in the infected computer’s Windows System folder. It then modifies the HOSTS file of Windows to block access to security websites. The W32.Zotob.B worm is about 15.386 bytes long, designed to exploit Windows 2000. This worm can run on other Windows operating system though, however, it may be used to infect devices running on W2k OS connected within the network.

When executed, only one copy of the worm will run on the compromised device. It copies itself as an executable file, and adds a registry value to the system’s registry subkeys to launch the program every time the system would start. The W32.Zotob.B worm is capable of disabling shared access service in Windows XP and Windows 2000 operating systems. This worm connects to an IRC server’s specific domain via TCP port 8080 to allow unauthorized remote access to the infected computer, generates random IP address form the current IP address, and spreads itself to computers through the generated IP addresses.