Introduction
A new worm released Sunday August 14, 2005, which takes advantage of the Plug and Play (PnP) vulnerabilities described in Microsoft Security Bulletin MS05-039, is causing widespread problems. The Zotob worm appeared shortly after the Microsoft patch release on Tuesday August 9. There are currently several worms based on the same exploit code. They are known by several names such as Zotob, Esbot, Bobax, WORM_RBOT, Spybot, SDbot, IRCbot, and variants of these.
Which Systems Are Vulnerable to the Zotob Worm?
Zotob affects unpatched Windows 2000 systems with TCP port 445 open. Users of Windows 95, 98, and ME are not vulnerable to the current variants of Zotob, but Windows XP and Windows Server 2003 systems could be vulnerable in certain rare circumstances.
What Kind of Damage Does It Cause?
Zotob affects computers by slowing them down and causing them to continually crash and reboot. Infected Windows 2000 computers are potentially left exposed to more malicious attacks, while infected Windows XP computers can only continue to spread the worms.
The worm itself does not have a destructive payload, but it does leave an open backdoor control channel that could allow attackers to commandeer the infected machine. The worm also adds several lines of code into a machine to prevent it from accessing certain antivirus websites.
How Does It Work?
When Zotob finds a target system, the worm installs a shell program on the computer that initiates an FTP or TFTP session to download the actual worm code. The newly infected system then starts scanning IP addresses for new computers to compromise. When the worm finds another unprotected machine, the process repeats itself.
An additional variant adds a mass-mailing capability, which means it can also spread by sending a copy of itself to e-mail addresses gathered from the infected system.
How Can I Protect My Computer?
Administrators are encouraged to apply the appropriate Microsoft patch to affected systems and to restrict access to machines on TCP port 445 and other variant ports. Be aware that blocking these ports may affect existing functionality, such as file sharing. A large variety of bots are taking advantage of the vulnerabilities described in MS05-039. Not all are characterized as “Zotob,” and some might escape antivirus detection altogether. Do not assume that your system is safe if you do not find “Zotob,” because some of the other bots match generic SDbot or Rbot signatures.
More Details of the Vulnerabilities and Proper Remediation
MySDN Alerts: Microsoft Windows Plug and Play Remote Code Execution
http://tools.cisco.com/MySDN/Intelligence/viewThreat.x?threatId=4449
Cisco has provided information regarding mitigation techniques and affected Cisco products that need software supplied by Cisco to patch properly:
http://www.cisco.com/warp/public/707/cisco-sn-zotob.shtml
Details of the worm can be found on the Microsoft website:
http://www.microsoft.com/technet/security/advisory/899588.mspx
Reference Material, Products, and Technologies to Help Mitigate Worms
The following links provide product and technology information that can help mitigate the effects on your network and prevent infestations from worms such as Zotob:
Worm Mitigation Technical White Paper
/web/about/security/intelligence/worm-mitigation-whitepaper.html
Cisco Security Products and Technologies
www.cisco.com/go/security
Outbreak Prevention Information
http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/networking_solutions_white_paper0900aecd801e009f.shtml
Cisco Security Monitoring, Analysis, and Response System
www.cisco.com/en/US/products/ps6241/index.html
Network Admission Control
www.cisco.com/en/US/netsol/ns466/networking_solutions_package.html
Cisco Security Agent
www.cisco.com/en/US/products/sw/secursw/ps5057/index.html
Cisco Clean Access
www.cisco.com/en/US/products/ps6128/index.html
Cisco Intrusion Prevention System
www.cisco.com/en/US/products/sw/secursw/ps2113/index.html
Appendix: Reference of Worm Exploit Names and Variants
Zotob.A
Executable size: 22,528 bytes
Executable name: botzor.exe
Ports: TCP – 445, 8080, 33333
Aliases: Zotob.A [F-Secure], W32/Zotob.worm [McAfee], W32/Zotob-A [Sophos], WORM_ZOTOB.A [Trend Micro]
Other details: Opens FTP server on TCP port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs.
Zotob.B
Executable size: 27,648 bytes
Executable name: csm.exe
Ports: TCP – 445, 8080, 33333
Aliases: Zotob.B [F-Secure], W32/Zotob.worm.b [McAfee], W32/Zotob-B [Sophos], WORM_ZOTOB.B [Trend Micro]
Other details: Opens FTP server on TCP port 33333, copies 2pac.txt and haha.exe to the system directory, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs.
Zotob.C
Executable size: 41,984 bytes
Executable name: per.exe
Ports: TCP – 445, 8080, 33333
Other details: Mass-mailing worm uses a predefined list of recipient names, appending the domain names that it gathers from an infected computer. It contains its own SMTP engine to e-mail to the addresses that it finds. Opens FTP server on TCP port 33333, adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs.
Zotob.D
Executable size: 51,326 bytes
Executable name: windrg32.exe
Ports: TCP – 6667, 1117, 445
Other details: Opens FTP server on TCP port 1117, attempts to end a variety of processes. Modifies the registry and deletes a variety of registry entries, deletes a variety of files from the system and program files directories, and adds itself to the run and run services in the registry. Modifies the hosts file to prevent updating of antivirus and security programs.
Zotob.E
Executable size: 10,366 bytes
Executable name: wintbp.exe
Ports: TCP – 8594, 8080, 445. UDP - 69
Aliases: WORM_RBOT.CBQ [Trend Micro]
Other details: Opens TFTP server on UDP port 69, connects to IRC server at 72.20.27.115 on TCP port 8080 to listen for update instructions, and adds itself to the run in the registry.
Zotob.F
Executable size: 10,878 bytes
Executable name: wintbpx.exe
Ports: TCP – 445
Other details: Opens multiple TCP ports. Connects to IRC server at 72.20.41.139 to listen for update instructions, adds itself to the run in the registry, and creates a file named %Temp%\[NUMBER] (which, if successful, contains TFTP scripts to download additional files).
Zotob.G
Executable size: 73,728 bytes
Executable name: windrg32.exe
Ports: TCP – 445, 6667, 1171
Aliases: W32.Drudebot.A
Other details: Attempts to connect IRC servers on TCP port 6667, opens a TFTP server on TCP port 1171, attempts to end a variety of processes, modifies the registry and deletes a variety of registry entries, deletes a variety of files from the system and program files directories, adds itself to the run and run services in the registry, and creates a file named %Temp%\[NUMBER] (which, if successful, contains TFTP scripts to download additional files). Modifies the hosts file to prevent updating of antivirus and security programs.
W32.Esbot.A
Also known as: Backdoor.Win32.IRCBot.es [Kaspersky Lab], W32/IRCbot.gen [McAfee], W32/Sdbot-ACG [Sophos], BKDR_RBOT.BD [Trend Micro], Win32.Esbot.A, Win32.Esbot.B [Computer Associates]
Spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039).
W32.Esbot.B
Spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039).
W32.Bobax.AF@mm
A mass-mailing worm that opens a back door, downloads remote files, and lowers security settings on the compromised computer. The worm spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039) and by sending a copy of itself to gathered e-mail addresses.
W32.Spybot.UBH
Also known as: W32/Sdbot.worm!MS05-039 [McAfee]
A worm that has distributed denial-of-service (DDoS) and backdoor capabilities. The worm spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039).
This document is part of the Cisco Security Center.
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.
Back to Top
Cisco Security Center
