Introduction
Which systems are vulnerable to the Zotob worm?
What kind of damage does it cause?
How does it work?
How can I protect my computer?
More details of the vulnerabilities and proper remediation
Reference material, products, and technologies to help mitigate worms
Appendix: Reference of worm exploit names and variants
A new worm released Sunday August 14, 2005, which takes advantage of the Plug and Play (PnP) vulnerabilities described in Microsoft Security Bulletin MS05-039, is causing widespread problems. The Zotob worm appeared shortly after the Microsoft patch release on Tuesday August 9. There are currently several worms based on the same exploit code. They are known by several names such as Zotob, Esbot, Bobax, WORM_RBOT, Spybot, SDbot, IRCbot, and variants of these.
Zotob affects unpatched Windows 2000 systems with TCP port 445 open. Users of Windows 95, 98, and ME are not vulnerable to the current variants of Zotob, but Windows XP and Windows Server 2003 systems could be vulnerable in certain rare circumstances.
Zotob affects computers by slowing them down and causing them to continually crash and reboot. Infected Windows 2000 computers are potentially left exposed to more malicious attacks, while infected Windows XP computers can only continue to spread the worms.
The worm itself does not have a destructive payload, but it does leave an open backdoor control channel that could allow attackers to commandeer the infected machine. The worm also adds several lines of code into a machine to prevent it from accessing certain antivirus websites.
When Zotob finds a target system, the worm installs a shell program on the computer that initiates an FTP or TFTP session to download the actual worm code. The newly infected system then starts scanning IP addresses for new computers to compromise. When the worm finds another unprotected machine, the process repeats itself.
An additional variant adds a mass-mailing capability, which means it can also spread by sending a copy of itself to e-mail addresses gathered from the infected system.
Administrators are encouraged to apply the appropriate Microsoft patch to affected systems and to restrict access to machines on TCP port 445 and other variant ports. Be aware that blocking these ports may affect existing functionality, such as file sharing. A large variety of bots are taking advantage of the vulnerabilities described in MS05-039. Not all are characterized as Zotob, and some might escape antivirus detection altogether. Do not assume that your system is safe if you do not find Zotob, because some of the other bots match generic SDbot or Rbot signatures.
Details of the worm are on the Microsoft website:
https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2005/899588
The following links provide product and technology information that can help mitigate the effects on your network and prevent infestations from worms such as Zotob:
Cisco Security Products and Technologies
http://www.cisco.com/go/security
Cisco Next Generation Intrusion Prevention System
https://www.cisco.com/c/en/us/products/security/ngips/index.html
Zotob.A
Executable size: 22,528 bytes
Executable name: botzor.exe
Ports: TCP 445, 8080, 33333
Aliases: Zotob.A [F-Secure], W32/Zotob.worm [McAfee], W32/Zotob-A [Sophos], WORM_ZOTOB.A [Trend Micro]
Other details: Opens FTP server on TCP port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs.
Zotob.B
Executable size: 27,648 bytes
Executable name: csm.exe
Ports: TCP 445, 8080, 33333
Aliases: Zotob.B [F-Secure], W32/Zotob.worm.b [McAfee], W32/Zotob-B [Sophos], WORM_ZOTOB.B [Trend Micro]
Other details: Opens FTP server on TCP port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs.
Zotob.C
Executable size: 41,984 bytes
Executable name: per.exe
Ports: TCP 445, 8080, 33333
Other details: Mass-mailing worm uses a predefined list of recipient names, appending the domain names that it gathers from an infected computer. It contains its own SMTP engine to e-mail to the addresses that it finds. Opens FTP server on TCP port 33333, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs.
Zotob.D
Executable size: 51,326 bytes
Executable name: windrg32.exe
Ports: TCP 6667, 1117, 445
Other details: Opens FTP server on TCP port 1117, attempts to end a variety of processes. Modifies the registry and deletes a variety of registry entries, deletes a variety of files from the system and program files directories, and adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs.
Zotob.E
Executable size: 10,366 bytes
Executable name: wintbp.exe
Ports: TCP 8594, 8080, 445. UDP - 69
Aliases: WORM_RBOT.CBQ [Trend Micro]
Other details: Opens TFTP server on UDP port 69, connects to IRC server at 72.20.27.115 on TCP port 8080 to listen for update instructions, and adds itself to the run in the registry.
Zotob.F
Executable size: 10,878 bytes
Executable name: wintbpx.exe
Ports: TCP 445
Other details: Opens multiple TCP ports. Connects to IRC server at 72.20.41.139 to listen for update instructions, adds itself to the run in the registry, and creates a file named %Temp%\[NUMBER] (which, if successful, contains TFTP scripts to download additional files).
Zotob.G
Executable size: 73,728 bytes
Executable name: windrg32.exe
Ports: TCP 445, 6667, 1171
Aliases: W32.Drudebot.A
Other details: Attempts to connect IRC servers on TCP port 6667, opens a TFTP server on TCP port 1171, attempts to end a variety of processes, modifies the registry and deletes a variety of registry entries, deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry, and creates a file named %Temp%\[NUMBER] (which, if successful, contains TFTP scripts to download additional files). Modifies the hosts file to prevent updating of antivirus and security programs.
W32.Esbot.A
Also known as: Backdoor.Win32.IRCBot.es [Kaspersky Lab], W32/IRCbot.gen [McAfee], W32/Sdbot-ACG [Sophos], BKDR_RBOT.BD [Trend Micro], Win32.Esbot.A, Win32.Esbot.B [Computer Associates]
Spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039).
W32.Esbot.B
Spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039).
W32.Bobax.AF@mm
A mass-mailing worm that opens a back door, downloads remote files, and lowers security settings on the compromised computer. The worm spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039) and by sending a copy of itself to gathered e-mail addresses.
W32.Spybot.UBH
Also known as: W32/Sdbot.worm!MS05-039 [McAfee]
A worm that has distributed denial-of-service (DDoS) and backdoor capabilities. The worm spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039).
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.