WORM_ZOTOB.H

Malware type: Worm

Aliases: Net-Worm.Win32.Mytob.cn (Kaspersky), W32/Mytob.gen@MM (McAfee), W32.Zotob.J@mm (Symantec), Worm/Mytob.JQ.1 (Avira), W32/Zotob-H (Sophos), Worm:Win32/Zotob.I (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This worm arrives via email, or by using a vulnerability in Windows. Upon execution, it drops a copy of itself as FUCK.EXE in the Windows system folder.

This worm takes advantage of the Microsoft Windows Plug and Play vulnerability to propagate across networks. For more information regarding this vulnerability, refer to the following Microsoft Web page:

This worm also propagates via email by sending a copy of itself as an attachment to target addresses using its own Simple Mail Transfer Protocol (SMTP) engine. Using its own SMTP mail engine makes it easier for this worm to send out email messages, while maintaining transparency on the affected system.

The email it sends has the following details:

Subject: (any of the following)
• *DETECTED* Online User Violation
• Important notification
• Security Measures
• WARNING: Your Services Near to be Closed
• You have successfully updated your password
• Your Account is Suspended
• Your Account is suspended for Security Reasons
• Your Password has been updated

Message Body: (any of the following)
===========
Dear user {recipient},

You have successfully updated the password of your {email account} account.

If you did not authorize this change or if you need assistance with your account, please contact {random} customer service at:{random}

Please also visit our irc server irc.unixirc.net 6667 #ccpower

Thank you for using {random}!
The {random} Support Team

%20%20%20 Attachment: No Virus (Clean)
%20%20%20 {random}Antivirus - www. {random}

===========

Dear user{recipient},

It has come to our attention that your {domain} User Profile ( x ) records are out of date. For further details see the attached document.

Please also visit our irc server irc.unixirc.net 6667 #ccpower

Thank you for using {random}!
The {random}Support Team

%20%20%20 Attachment: No Virus (Clean)
{random}Antivirus - www. {random}

===========

Dear {domain} Member,

We have temporarily suspended your email account {email account}.

This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.

See the details to reactivate your {email account} account.

Please also visit our irc server irc.unixirc.net 6667 #ccpower

Sincerely,
The {random} Support Team

%20%20%20 Attachment: No Virus (Clean)
%20%20%20 {random} Antivirus - www. {random}

===========

Dear {domain} Member,

Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

If you choose to ignore our request, you leave us no choice but to cancel your membership.

Please also visit our irc server irc.unixirc.net 6667 #ccpower

Virtually yours,
The {random} Support Team

%20%20%20 Attachment: No Virus found
%20%20%20 {random}Antivirus - www. {random}

Attachment: (any of the following)
• Accepted-password
• Account-details
• Account-password
• Account-report
• Document.zip
• Email-details
• Email-password
• Important-details
• New-password
• Password
• U[pdated-password

(with any of the following extensions)
• DOC
• EXE
• HTM
• PIF
• SCR
• TXT
• ZIP

Read more about the email propagation routine of this worm here.

This WORM_ZOTOB variant modifies the HOSTS file to prevent access to different sites, most of which are antivirus and security Web sites. Hence, users who attempt to access these Web sites cannot do so, preventing them from being informed about malware threats, including this worm.

It also opens a random port and connects to the Internet Relay Chat (IRC) server irc.unixirc.net. Once a connection is established, it joins a specific IRC channel #ccpower, where it listens for commands from a malicious user. It then executes these commands on the affected machine. These commands include downloading and executing possibly malicious files, and stealing information about the affected system.

For additional information about this threat, see:

Description created: Aug. 22, 2005 3:30:27 AM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 95,232 Bytes

Ports used: Random

Initial samples received on: Aug 20, 2005

Vulnerability used:  (MS05-039) Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)

Payload 1: Compromises system security

Payload 2: Modifies HOSTS file

Details:

Installation and Autostart

This worm arrives as an email attachment. Upon execution, it drops a copy of itself as FUCK.EXE in the Windows system folder. It then creates the following registry entries to ensure its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
WINDOWS FUCK BY CLASIC = "fuck.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\RunServices
WINDOWS FUCK BY CLASIC = "fuck.exe"

Or

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
WINDOWS FUCK BY CLASIC = "\fuck.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunServices
WINDOWS FUCK BY CLASIC = "\fuck.exe"

Propagation via Exploit

This worm takes advantage of the Microsoft Windows Plug and Play vulnerability to propagate across networks. For more information regarding this vulnerability, refer to the following Microsoft Web page:

Once this worm successfully exploits a target system, it opens a Trivial File Transfer Protocol (TFTP) service. Using the said service, it then drops and executes a copy of this worm onto the system.

The said propagation routine works only on Windows NT and 2000, because the Microsoft Windows Plug and Play vulnerability has inherent characteristics that prevent this worm from exploiting it in Windows XP and Server 2003.

Propagation via Email

This worm propagates via email by sending a copy of itself as an attachment to target addresses using its own Simple Mail Transfer Protocol (SMTP) engine.

It gathers target email addresses from the Windows Address Book (WAB) by checking for the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WAB\WAB4\Wab File Name

It may also harvest email addresses from the Temporary Internet Files folder with the following file extensions:

  • ADBH
  • ASPD
  • CGIL
  • DBXN
  • HTMB
  • HTML
  • JSPL
  • PHPQ
  • PL
  • SHTL
  • TBBG
  • TXT
  • WAB
  • XMLS

It may also generate email addresses by combining the following names with a domain name copied from harvested addresses:

  • andrew
  • brenda
  • brent
  • brian
  • claudia
  • david
  • debby
  • frank
  • george
  • helen
  • james
  • jerry
  • jimmy
  • julie
  • kevin
  • linda
  • maria
  • michael
  • peter
  • robert
  • sales
  • sandra
  • smith
  • steve

If a default mail server is not found, it queries for message exchange servers by prepending the following strings to the domain names of gathered email addresses:

  • gate.
  • mail.
  • mail1.
  • mx.
  • mx1.
  • mxs.
  • ns.
  • relay.
  • smtp.

It avoids sending email messages to addresses that contain any of the following substrings:

  • abuse
  • admin
  • administrator
  • register
  • secur
  • service
  • support
  • webmaster

It also skips email addresses with domain names containing any of the following substrings:

  • accoun
  • acketst
  • admin
  • anyone
  • arin.
  • be_loyal:
  • berkeley
  • borlan
  • certific
  • contact
  • example
  • feste
  • gold-certs
  • google
  • hotmail
  • ibm.com
  • icrosof
  • icrosoft
  • inpris
  • isc.o
  • isi.e
  • kernel
  • linux
  • listserv
  • mit.e
  • mozilla
  • mydomai
  • nobody
  • nodomai
  • noone
  • nothing
  • ntivi
  • panda
  • postmaster
  • privacy
  • rating
  • rfc-ed
  • ripe.
  • ruslis
  • samples
  • secur
  • sendmail
  • service
  • somebody
  • someone
  • sopho
  • submit
  • support
  • tanford.e
  • the.bat
  • usenet
  • utgers.ed
  • webmaster

The email it sends has the following details:

Subject: (any of the following)
• *DETECTED* Online User Violation
• Important notification
• Security Measures
• WARNING: Your Services Near to be Closed
• You have successfully updated your password
• Your Account is Suspended
• Your Account is suspended for Security Reasons
• Your Password has been updated

Message Body: (any of the following)
===========
Dear user {recipient},

You have successfully updated the password of your {email account} account.

If you did not authorize this change or if you need assistance with your account, please contact {random} customer service at:{random}

Please also visit our irc server irc.unixirc.net 6667 #ccpower

Thank you for using {random}!
The {random} Support Team

%20%20%20 Attachment: No Virus (Clean)
%20%20%20 {random}Antivirus - www. {random}

===========

Dear user{recipient},

It has come to our attention that your {domain} User Profile ( x ) records are out of date. For further details see the attached document.

Please also visit our irc server irc.unixirc.net 6667 #ccpower

Thank you for using {random}!
The {random}Support Team

%20%20%20 Attachment: No Virus (Clean)
{random}Antivirus - www. {random}

===========

Dear {domain} Member,

We have temporarily suspended your email account {email account}.

This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.

See the details to reactivate your {email account} account.

Please also visit our irc server irc.unixirc.net 6667 #ccpower

Sincerely,
The {random} Support Team

%20%20%20 Attachment: No Virus (Clean)
%20%20%20 {random} Antivirus – www. {random}

===========

Dear {domain} Member,

Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

If you choose to ignore our request, you leave us no choice but to cancel your membership.

Please also visit our irc server irc.unixirc.net 6667 #ccpower

Virtually yours,
The {random} Support Team

%20%20%20 Attachment: No Virus found
%20%20%20 {random}Antivirus - www. {random}

Attachment: (any of the following)
• Accepted-password
• Account-details
• Account-password
• Account-report
• Document.zip
• Email-details
• Email-password
• Important-details
• New-password
• Password
• U[pdated-password

(with any of the following extensions)
• DOC
• EXE
• HTM
• PIF
• SCR
• TXT
• ZIP

HOSTS File Modification

This worm modifies the system's HOSTS file, which contains hostname to IP address mappings. The said file can be found in the following folders:

  • %System%\drivers\etc
  • %Windows%

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and 2003. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It appends a list of URLs to the file and directs each one to the loop back address (127.0.0.1). The said action prevents the user from accessing the said URLs. Instead, the user is redirected to the local machine. The blocked Web sites are as follows:

  • avp.com
  • ca.com
  • customer.symantec.com
  • dispatch.mcafee.com
  • download.mcafee.com
  • ebay.com
  • f-secure.com
  • kaspersky.com
  • kaspersky-labs.com
  • liveupdate.symantec.com
  • liveupdate.symantecliveupdate.com
  • mast.mcafee.com
  • mcafee.com
  • microsoft.com
  • moneybookers.com
  • my-etrust.com
  • nai.com
  • networkassociates.com
  • pandasoftware.com
  • paypal.com
  • rads.mcafee.com
  • secure.nai.com
  • securityresponse.symantec.com
  • sophos.com
  • symantec.com
  • trendmicro.com
  • update.symantec.com
  • updates.symantec.com
  • us.mcafee.com
  • viruslist.com
  • viruslist.com
  • virustotal.com
  • www.amazon.ca
  • www.amazon.co.uk
  • www.amazon.com
  • www.amazon.fr
  • www.avp.com
  • www.ca.com
  • www.ebay.com
  • www.f-secure.com
  • www.grisoft.com
  • www.kaspersky.com
  • www.mcafee.com
  • www.microsoft.com
  • www.moneybookers.com
  • www.my-etrust.com
  • www.nai.com
  • www.networkassociates.com
  • www.pandasoftware.com
  • www.paypal.com
  • www.sophos.com
  • www.symantec.com
  • www.trendmicro.com
  • www.viruslist.com
  • www.virustotal.com

Backdoor Capabilities

This worm opens a random port and connects to the Internet Relay Chat (IRC) server irc.unixirc.net. Once a connection is established, it joins a specific IRC channel #ccpower, where it listens for the following commands coming from a remote malicious user:

  • Download and execute a file
  • Retrieve system information
  • Scan for vulnerable systems
  • Transfer file through FTP

It executes the aforementioned commands on affected machines.

Other Details

This worm creates the mutex B-O-T-Z-O-R to ensure that only one instance of itself is running in the system's memory.

This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003.

Analysis By: Zimry Ong

Revision History:

First pattern file version: 7.611.00
First pattern file release date: Nov 10, 2010
 
Aug 22, 2005 - Modified Virus Report
Aug 24, 2005 - Insertion of Automatic Removal Instructions

SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 7.611.00

Pattern release date: Nov 10, 2010


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

MANUAL REMOVAL INSTRUCTIONS

Terminating the Malware Program

This procedure terminates the running malware process.

If the process you are looking for is not in the list displayed by Task Manager, proceed to the succeeding solution set.

  1. Open Windows Task Manager.
    • On Windows 98 and ME, press
    CTRL%20ALT%20DELETE
    • On Windows NT, 2000, XP and Server 2003, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the process:
    fuck.exe
  3. Select the malware process, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. To check if the malware process has been terminated, close Task Manager, and then open it again.
  5. Close Task Manager.

*NOTE: On systems running Windows 98 and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions. If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Editing the Registry

This malware modifies the system's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  3. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  4. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and 2003

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entries below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    WINDOWS FUCK BY CLASIC = "fuck.exe"
    Or
    WINDOWS FUCK BY CLASIC = "\fuck.exe"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Runservices
  5. In the right panel, locate and delete the entry:
    WINDOWS FUCK BY CLASIC = "fuck.exe"
    Or
    WINDOWS FUCK BY CLASIC = "\fuck.exe"
  6. Close Registry Editor.

Removing Malware Entries from the HOSTS File

Deleting malware entries from the HOSTS file removes all malware-made changes on host name association.

  1. Open the following file using a text editor (such as NOTEPAD):
    • On Windows 98 and ME:
      %Windows%\HOSTS
    • On Windows NT, 2000, XP, and Server 2003:
      %System%\drivers\etc\HOSTS
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
  2. Delete the following entries:
    • 127.0.0.1 www.symantec.com
    • 127.0.0.1 securityresponse.symantec.com
    • 127.0.0.1 symantec.com
    • 127.0.0.1 www.sophos.com
    • 127.0.0.1 sophos.com
    • 127.0.0.1 www.mcafee.com
    • 127.0.0.1 mcafee.com
    • 127.0.0.1 liveupdate.symantecliveupdate.com
    • 127.0.0.1 www.viruslist.com
    • 127.0.0.1 viruslist.com
    • 127.0.0.1 f-secure.com
    • 127.0.0.1 www.f-secure.com
    • 127.0.0.1 kaspersky.com
    • 127.0.0.1 kaspersky-labs.com
    • 127.0.0.1 www.avp.com
    • 127.0.0.1 www.kaspersky.com
    • 127.0.0.1 avp.com
    • 127.0.0.1 www.networkassociates.com
    • 127.0.0.1 networkassociates.com
    • 127.0.0.1 www.ca.com
    • 127.0.0.1 ca.com
    • 127.0.0.1 mast.mcafee.com
    • 127.0.0.1 my-etrust.com
    • 127.0.0.1 www.my-etrust.com
    • 127.0.0.1 download.mcafee.com
    • 127.0.0.1 dispatch.mcafee.com
    • 127.0.0.1 secure.nai.com
    • 127.0.0.1 nai.com
    • 127.0.0.1 www.nai.com
    • 127.0.0.1 update.symantec.com
    • 127.0.0.1 updates.symantec.com
    • 127.0.0.1 us.mcafee.com
    • 127.0.0.1 liveupdate.symantec.com
    • 127.0.0.1 customer.symantec.com
    • 127.0.0.1 rads.mcafee.com
    • 127.0.0.1 trendmicro.com
    • 127.0.0.1 pandasoftware.com
    • 127.0.0.1 www.pandasoftware.com
    • 127.0.0.1 www.trendmicro.com
    • 127.0.0.1 www.grisoft.com
    • 127.0.0.1 www.microsoft.com
    • 127.0.0.1 microsoft.com
    • 127.0.0.1 www.virustotal.com
    • 127.0.0.1 virustotal.com
    • 127.0.0.1 www.amazon.com
    • 127.0.0.1 www.amazon.co.uk
    • 127.0.0.1 www.amazon.ca
    • 127.0.0.1 www.amazon.fr
    • 127.0.0.1 www.paypal.com
    • 127.0.0.1 paypal.com
    • 127.0.0.1 moneybookers.com
    • 127.0.0.1 www.moneybookers.com
    • 127.0.0.1 www.ebay.com
    • 127.0.0.1 ebay.com
  3. Save the file and close the text editor.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete files detected as WORM_ZOTOB.H. To do this, Trend Micro customers must download the latest virus pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's online virus scanner.

Applying Patches

This malware exploits known vulnerabilities in Windows Plug and Play. Download and install the fix patch supplied by Microsoft. Refrain from using this product until the appropriate patch has been installed. Trend Micro advises users to download critical patches upon release by vendors.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.