WORM_ZOTOB.D
The worm actually kills spyware. LOL
File type: PE
Memory resident: Yes
Size of malware: 51,326 Bytes
Ports used: Random, TCP port 445 (Microsoft-DS), TCP port 6667 (IRCU), TCP port 7778 (Interwise)
Initial samples received on: Aug 16, 2005
Compression type: UPX, Yoda's Cryptor
Vulnerability used: (MS05-039) Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)
Payload 1: Compromises system security
Payload 2: Steals information
Payload 3: Displays message
Trigger condition 1: Upon finding a certain value in the system registry
Payload 4: Deletes registry entries
Payload 5: Deletes files and folders
Payload 6: Terminates processes
Details:
Installation and Autostart Technique
Upon execution, this memory-resident worm checks the value of the following registry entry:
HKEY_LOCAL_MACHINE\Software\Drudgebot
Halt
If the value of the registry entry is "TRUE" (i.e., Halt = "TRUE"), this worm displays the following message box then terminates:
Drudgebot
It proceeds to check if the mutex windrg322 exists. If it does, this worm deletes the executed file and terminates. Otherwise, it creates the following mutexes:
windrg322
windrg322-TI
It then creates the following registry entry to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
WinDrg32 = "%System%\wbev\windrg32.exe"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops a copy of itself in the %System%\wbev folder as the file WINDRG32.EXE. It also executes the dropped file and deletes itself.
Propagation Routine
This worm takes advantage of the Microsoft Windows Plug and Play vulnerability to propagate across networks. For more information regarding this vulnerability, please refer to the following Microsoft Web page:
Microsoft Security Bulletin MS05-039
It generates random IP addresses to target, then checks if port 445 is open on a generated target IP address. If the said port is open, it attempts to exploit the target system.
If it fails to exploit the said system or if port 445 is not open, it generates another IP address to target. Otherwise, this worm initiates an FTP server on the affected system. The said system then opens a remote shell on port 7778 and creates an FTP script through the remote shell.
When the exploit code encounters an error on the target machine, it causes SERVICES.EXE, which holds most of the system services, to terminate. This in turn causes the target machine to shut down.
Note that this propagation routine works only on Windows NT and 2000, because the Microsoft Windows Plug and Play vulnerability has inherent characteristics that prevent this worm from exploiting it in Windows XP and Server 2003.
Backdoor Capabilities
This worm also has backdoor capabilities. Prior to launching its backdoor component, this worm checks for network connection by using the InternetGetConnectedState() API and by attempting to resolve the IP addresses of the following sites:
* www.ebay.com
* www.google.com
* www.yahoo.com
It then opens random ports, including port 6667 (a normal IRC port), which enable it to connect to any of the following the IRC servers:
* db23.hack-syndicate.org
* db23a.hack-syndicate.org
* spookystreet.m00p.org
* spookystreet.udp-flood.com
Once a connection is established, this worm joins a specific IRC channel, where it listens for the following commands coming from a remote malicious user:
* Connect to a particular IRC server
* Download a file from the Internet
* Download an updated copy of itself
* Execute a Google search
* Flood a target host
* Perform basic IRC commands
* Terminate processes
* Uninstall a copy of itself
* Visit a specific URL
However, it does not connect to the remote IRC servers if the IP addresses of the said servers fall under one of the following IP ranges:
* 0.0.0.0 to 0.255.255.255
* 10.0.0.0 to 10.255.255.255
* 127.0.0.0 to 127.255.255.255
* 169.254.0.0 to 169.254.255.255
* 192.168.0.0 to 192.168.255.255
Information Theft
Part of this worm's backdoor capabilities is to retrieve system information, such as CPU speed and memory size. It does this by checking the following registry key:
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\
System\CentralProcessor\0
It also gathers the following data:
* Currently logged user, or the name of the user where this worm is currently executing
* Computer name
* Operating system version and additional version information (e.g., Service Pack version)
* Memory status
It also attempts to crack the passwords of the infected machine’s local user accounts by using the following password list:
* 123
* 12345
* 123456
* 12345678
* 54321
* 654321
* 88888888
* abc
* abc123
* account
* admin
* administrateur
* administrator
* amministratore
* asd
* asdf
* asdfgh
* austin
* azer
* azert
* azerty
* barbara
* black
* casa
* charles
* computer
* criminal justice
* david
* desktop
* dorothy
* elizabeth
* famiglia
* family
* god
* green
* guess
* Haupt
* hello
* home
* hot chilli
* house
* inhaber
* James
* Jennifer
* john
* Joseph
* lavoro
* letmein
* light tanks
* linda
* living dead
* London
* maison
* margaret
* maria
* mary
* michael
* near miss
* old news
* owner
* paris
* pass
* passe
* password
* passwort
* Patricia
* peace force
* pink
* propri
* proprietaire
* proprietario
* purple
* qsd
* qsdfgh
* qwert
* qwerty
* qwertyui
* qwertz
* richard
* Robert
* school
* secret
* secure
* susan
* taire
* test
* testing
* Thomas
* universita
* white
* William
* work
Administrators and users are advised to avoid using these passwords in their accounts.
Payload
This worm launches a thread designed to remove certain malware and spyware from the system. It does this by going through a cycle of process termination, file/folder deletion, and registry cleanup.
It terminates the following processes:
* botzor.exe - related to WORM_ZOTOB.A
* CMESys.exe - related to SPYW_GATOR variants
* csm.exe - related to WORM_ZOTOB.B
* CxtPls.exe - related to ADW_APROPOS variants
* NHUpdater.exe - related to SPYW_NAVEXCEL variants
* pnpsrv.exe - related tob BKDR_RBOT.BC
* qttask.exe
* realsched.exe
* ViewMgr.exe
* winpnp.exe - related to WORM_RBOT.CBD
* %Program%\AutoUpdate\AutoUpdate.exe - related to ADW_ENVOLO.A
* %Program%\CommonFiles\GMT\GMT.exe - related to SPYW_GATOR variants
* %Program%\eZula\mmod.exe - related to ADW_EZULA variants
(Note: %Program% is the Program Files directory which is usually C:\Program Files.)
It also terminates processes that match the string EbatesMoeMoneyMaker*.exe, as well as all .EXE files run from the following subdirectories in the Program files folder:
* 180Solutions - related to ADW_SOLU180 variants
* Common Files\WinTools - related to SPYW_WEBSEARCH variants
* HotBar - related to ADW_HOTBAR variants
* MyWebSearch - related to ADW_WEBSEARCH variants
* MyWay - related to ADW_MIWAY variants
* Toolbar
It deletes the following files in the Windows system directory:
* botzor.exe - related to WORM_ZOTOB.A
* csm.exe - related to WORM_ZOTOB.B
* pnpsrv.exe - related tob BKDR_RBOT.BC
* winpnp.exe - related to WORM_RBOT.CBD
It also deletes the following subdirectories in the Program files folder:
* 180Solutions - related to ADW_SOLU180 variants
* AutoUpdate - related to ADW_APROPOS variants
* Common Files\CMEII - related to SPYW_GATOR variants
* Common Files\GMT - related to SPYW_GATOR variants
* Common Files\WinTools - related to SPYW_WEBSEARCH variants
* CxtPls - related to ADW_APROPOS variants
* EbatesMoeMoneyMaker - related to ADW_TREBATES.B
* eZula - related to ADW_EZULA variants
* Hotbar - related to ADW_HOTBAR variants
* MyWay - related to ADW_MIWAY variants
* MyWebSearch - related to ADW_WEBSEARCH variants
* NavExcel - related to SPYW_NAVEXCEL variants
* Toolbar
It deletes registry entries when the values match any of the following:
* 180 - related to ADW_SOLU180 variants
* 180ax - related to ADW_SOLU180 variants
* Apropos - related to ADW_APROPOS variants
* AutoUpdater - related to related to ADW_APROPOS variants
* CMESys - related to SPYW_GATOR variants
* csm Win Updates - related to WORM_ZOTOB.B
* Ebates
* EbatesMoeMoneyMaker - related to ADW_TREBATES.B
* eZmmod - related to ADW_EZULA variants
* eZula - related to ADW_EZULA variants
* Gator - related to ADW_GATOR variants
* GatorDownloader - related to ADW_GATOR variants
* Hotbar - related to ADW_HOTBAR variants
* IBIS TB
* msbb - related to ADW_NCASE variants
* MyWay - related to ADW_MIWAY variants
* MyWebSearch - related to ADW_WEBSEARCH variants
* NavExcel - related to SPYW_NAVEXCEL variants
* QuickTime
* QuickTime Task
* Real
* saie
* sais
* TBPS
* TkBellExe - related to WORM_LOVGATE variants
* Toolbar
* tov
* Trickler - related to SPYW_GATOR variants
* ViewMgr - related to SPYW_GATOR variants
* Viewpoint
* WINDOWS SYSTEM
* WeatherOnTray - related to ADW_HOTBAR variants
* WinTools - related to SPYW_WEBSEARCH variants
* Windows PNP - related to WORM_RBOT.CBD
* Windows PNP Server - related to BKDR_RBOT.BC
* Zotob - related to WORM_ZOTOB variants
The said registry entries may be found in the following registry keys:
HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\RunOnce
Platform
This worm runs on Windows 95, 98, ME, 2000, XP, and Server 2003.