CME-164, Mytob.IR, W32/Zotob.worm, W32/Zotob.worm.b, W32/Zotob-B, Backdoor.Win32.IRCBot.et
Win32/Mytob.IR, Win32/Zotob.A, Win32/Zotob.B!Worm, Worm.IRCBot.DL, Worm.Zotob.A
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
14 Aug 2005
The W32.Zotob.B program is a worm and backdoor Trojan for Windows Platform that installs itself in a system registry. It spreads by exploiting the vulnerability of Microsoft Windows Plug and Play Buffer Overflow.
W32.Zotob.B Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Zotob.B from your computer.
More details about W32.Zotob.B
The W32.Zotob.B is a self-executing worm that runs continuously in the system as a hidden application to provide a backdoor server which allows remote attackers to gain access and control over the machine. When the worm is activated, it starts up to 200 processes to search for other computers using TCP port 445, resulting to poor system performance. It also copies itself as an executable file in the infected computer’s Windows System folder. It then modifies the HOSTS file of Windows to block access to security websites. The W32.Zotob.B worm is about 15.386 bytes long, designed to exploit Windows 2000. This worm can run on other Windows operating system though, however, it may be used to infect devices running on W2k OS connected within the network.
When executed, only one copy of the worm will run on the compromised device. It copies itself as an executable file, and adds a registry value to the system’s registry subkeys to launch the program every time the system would start. The W32.Zotob.B worm is capable of disabling shared access service in Windows XP and Windows 2000 operating systems. This worm connects to an IRC server’s specific domain via TCP port 8080 to allow unauthorized remote access to the infected computer, generates random IP address form the current IP address, and spreads itself to computers through the generated IP addresses.