Clusterheadaches.com Message Board


    
      
        Clusterheadaches.com Message Board
        (http://www.clusterheadaches.com/cgi-bin/yabb/YaBB.cgi)
      

        New Message Board Archives >> 2005 General Board Posts >> New BASTARD is out there
        
(Message started by: Svenn on Aug 16^th, 2005, 3:11am)

Title: New BASTARD is out there
Post by Svenn on Aug 16^th, 2005, 3:11am

Search our siteSkip navigation Products Support Virus infoVirus analysesSpyware and adwareHoaxesBest practiceViruses explainedArticlesWhite papersTop ten virusesEmail notificationInfo feed Spam info Company info Press office Partners Skip breadcrumbs Home Virus info Virus analyses
Virus information
W32/Zotob-A
Summary

Summary Description Recovery Advanced

Profile Prevalence: low high
Name W32/Zotob-A
Type Worm

Affected operating systems Windows

Side effects Allows others to access the computer
Reduces system security
Installs itself in the Registry
Exploits system or software vulnerabilities

Aliases Net-Worm.Win32.Mytob.cd
W32/Zotob.worm
WORM_ZOTOB.A

Protection Download virus identity (IDE) file
Protection available since 14 August 2005 15:53:19 (GMT)
Included in our products from October 2005 (3.98)
More information on IDE files What are IDE files?
How to use IDE files
Get the latest IDE files

Staying up to date
EM Library provides fully automated updating of Sophos Anti-Virus on a wide range of platforms. If you're using one of our enterprise solutions and aren't already using EM Library, check it out now. Users of our small business solutions are automatically updated by Sophos AutoUpdate.

Description

Summary Description Recovery Advanced

This section helps you to understand how it behaves
W32/Zotob-A is a worm and backdoor Trojan for the Windows platform.
W32/Zotob-A spreads to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP (MS05-039).
W32/Zotob-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.

Recovery

Summary Description Recovery Advanced

This section tells you how to disinfect.
Please follow the instructions for removing worms.

Advanced

Summary Description Recovery Advanced

This section is for technical experts who want to know more.
W32/Zotob-A is a worm and backdoor Trojan for the Windows platform.
W32/Zotob-A spreads to other network computers by exploiting common buffer overflow vulnerabilites, including LSASS (MS04-011) and PnP (MS05-039).
W32/Zotob-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer.
When first run W32/Zotob-A copies itself to <System>\botzor.exe.
The following registry entries are created to run botzor.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
botzor.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
botzor.exe
W32/Zotob-A also sets the following registry entry
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4
The worm may drop a file 2pac.txt. This is a text file that may be safely deleted.
W32/Zotob-A also appends the following to the system HOSTS file in order to prevent access to certain websites:
Botzor2005 Made By .... Greetz to good friend Coder. Based On HellBot3
MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!
n127.0.0.1 www.symantec.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 symantec.com
127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 customer.symantec.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 pandasoftware.com
127.0.0.1 www.pandasoftware.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com
127.0.0.1 www.microsoft.com
127.0.0.1 microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 virustotal.com
127.0.0.1 www.amazon.com
127.0.0.1 www.amazon.co.uk
127.0.0.1 www.amazon.ca
127.0.0.1 www.amazon.fr
127.0.0.1 www.paypal.com
127.0.0.1 paypal.com
127.0.0.1 moneybookers.com
127.0.0.1 www.moneybookers.com
127.0.0.1 www.ebay.com
127.0.0.1 ebay.com
Patches for the operating system vulnerabilities exploited by W32/Zotob-A can be obtained from Microsoft at:
MS04-011
MS05-039

© 1997-2005 Sophos Plc. All rights reserved. Legal | Privacy

continues

Title: Re: New BASTARD is out there
Post by Svenn on Aug 16^th, 2005, 3:12am

Title: Re: New BASTARD is out there
Post by Svenn on Aug 16^th, 2005, 3:17am

Reboot the computer from a clean startup or system disk.
Delete the worm files manually or using the DOS instructions.
5. Macintosh OS X computers
To remove a worm:

Check the virus analysis for details on the worm and its removal.
Close down all programs.
Run the Sophos Anti-Virus program.
Go to ‘Sophos Anti-Virus preferences'.
Choose 'Disinfection' from the ‘Immediate Mode' menu.
Select 'Infected Files' and 'Delete'.
Close ‘Sophos Anti-Virus preferences'.
Click the green ‘Play' arrow button.
Click 'OK' when asked if files should be deleted.
Run another scan to ensure that the worm has been removed.
Go back to 'Virus Action' and deselect 'Infected Files' and 'Delete'.
If problems persist, contact support.
6. DOS
You will need SWEEP for DOS on floppy disk. To do this, make a set of Emergency SAV disks.

Check the virus analysis for details on the worm and its removal.
Reboot your PC from a clean system disk, put the SWEEP for DOS disk in the floppy drive and at the A: prompt type:

SWEEP *: -REMOVEF

Title: Re: New BASTARD is out there
Post by Svenn on Aug 16^th, 2005, 3:17am

7. OS/2
Check the virus analysis for details on the worm and its removal.
For drive C: at a command prompt type
OSWEEP C: -REMOVEF
Run a scan to check that all worm files were deleted.
If infection persists, disinfect in stand-alone mode:

If OS/2 is running, shut it down.
Boot OS/2 from the OS/2 Utility disk set. Follow the on-screen instructions. When booting has finished the A: prompt appears.
Remove the OS/2 Utility disk.
Place the Emergency OSWEEP disk in drive A:.
For drive C: at the A: command prompt type
OSWEEP C: -REMOVEF -CI
(-REMOVEF deletes the infected files, -CI checks the integrity of SWEEP on the 'Emergency OSWEEP' disk.) The computer checks program integrity then asks for the virus data disk. Replace the Emergency OSWEEP disk with the virus data disk.
After disinfection, run another scan to check that all worm files were deleted.
If problems persist, contact support.
8. NetWare
Note: This will delete any documents infected with macro viruses. Deal with them first.

Check the virus analysis for details on the worm and its removal.
Run a scan to locate all worm files.
Select 'Delete' in the 'Removal mode' option of the Immediate Mode menu.
Delete the worm files.

9. UNIX
Check the virus analysis for details on the worm and its removal.
Use SWEEP with the -remove option

sweep -remove
Run a scan to check that all worm files were deleted.
10. OpenVMS
Check the virus analysis for details on the worm and its removal.
Delete the worm files by running VSWEEP from DCL using the command line qualifier '/REMOVEF'.

Note: '/REMOVEF' does not prompt for confirmation before deletion and should be used with caution.
For details on the use of these command line qualifiers and sample batch files using them, see the Sophos Anti-Virus for OpenVMS manual.

© 1997-2005 Sophos Plc. All rights reserved. Legal | Privacy

Svenn

Continues

Title: Re: New BASTARD is out there
Post by Svenn on Aug 16^th, 2005, 3:17am

Title: Re: New BASTARD is out there
Post by AussieBrian on Aug 16^th, 2005, 4:05am

Lovely, Svenn. Just loverly!

The underlying influence of Browning's imagery subjugates the analogy and the prolypse to Jung was purely metaphysical in it's nature.

Yeats tried this, backing on Keat's failure to establish the metaphore, even the modernists thought twice. Given my computer wizardry, I shall now C & P this to our poetry section where it shall hang with pride in finitum et ad nauseum.

I raise my hat and bend my knee to a higher authority, and will never write another poem. I simply can't compete with perfection.

Title: Re: New BASTARD is out there
Post by Jasmyn on Aug 16^th, 2005, 4:11am

Svenn like Aussie Brain just said, it's a bit over my head! ;;D

Title: Re: New BASTARD is out there
Post by Svenn on Aug 16^th, 2005, 4:44am

Its jusdt a warning about a new worm out there folks

I just cut and pasted the stuff in case those poor bastards with dialup dont have to open more windows then neccesery

Read or not,thats your problem [smiley=laugh.gif] [smiley=laugh.gif] [smiley=laugh.gif] [smiley=laugh.gif]

Title: Re: New BASTARD is out there
Post by TheMasterBaker on Aug 16^th, 2005, 7:37am

I work with two major global networks, both slowed or down since yestreday....BASTARDS!!

Thanks Svenn!!

Title: Re: New BASTARD is out there
Post by Frank_W on Aug 16^th, 2005, 8:01am

on 08/16/05 at 04:05:16, AussieBrian wrote:

The underlying influence of Browning's imagery subjugates the analogy and the prolypse to Jung was purely metaphysical in it's nature.

Yeats tried this, backing on Keat's failure to establish the metaphore, even the modernists thought twice. Given my computer wizardry, I shall now C & P this to our poetry section where it shall hang with pride in finitum et ad nauseum.

I quite agree. [smiley=laugh.gif]

Title: Re: New BASTARD is out there
Post by Redd_baby_girl on Aug 16^th, 2005, 8:12am

i feel like i have a migrane. i have had one b4, believe me. easter time. ask Redd; she'll tell you. had to go home early... i didn't get enough candy..... GR U U STUPID MIGRANES!!!!!!!! GR U U STUPID CLUSTERHEADACHES!!!!!!!! WHY DID YOU HAVE TO COME TO RUIN SOME PPLZ LIVES BY INFECITNG THEM OR WHATEVER U DO AND TO RUIN THE LIVES OF THE PPLZ AROUND THEM BECASUE U HURT THEIR FEELINGS BY SHOWING UP AND TORMENTING THE PPLZ WITH WHOM U HAVE INFECTED OR WHATEVER!!!!

but, anyway, i will watch out for this new worm. REAL worms are squiggley, COMPUTER worms are very stupid. i hope that it doesn't affect any1's comeputer that i know and love.

Megi

Title: Re: New BASTARD is out there
Post by Jasmyn on Aug 16^th, 2005, 8:28am

Hang in there Megi! [smiley=hug.gif]

Title: Re: New BASTARD is out there
Post by Frank_W on Aug 16^th, 2005, 8:33am

Hang in there, Megi. :-/

Title: Re: New BASTARD is out there
Post by ClusterChuck on Aug 16^th, 2005, 10:42am

OK, call me "Not too smucken fart" ... ... (NO wise a$$ comments required ... I can hear you all thinking of a comment to make ...)

Can you tell me, in plain language, how you get this worm/virus, like is there any particular message to watch out for? Also, how do you know (in a dummy's eyes) that you have been infected?

Chuck, the 'puter dumkoff

Title: Re: New BASTARD is out there
Post by Frank_W on Aug 16^th, 2005, 10:47am

In other news, the OLD BASTARD is still out there. ME!!!!! [smiley=laugh.gif]

Title: Re: New BASTARD is out there
Post by Svenn on Aug 16^th, 2005, 1:47pm

on 08/16/05 at 10:42:48, ClusterChuck wrote:

Plain language is=

Du vet da hva du må gjøre Chuck.Er ikke så vanskelig ;;D ;;D ;;D ;;D

You know what to do is the other plain language

For the rest of you keep your antivirusprogg updates at all time also use a worm/spy program remover like spybot or adaware

Title: Re: New BASTARD is out there
Post by Frank_W on Aug 16^th, 2005, 2:18pm

Sappari wakaranai... Gata-gata itten jianaiyo! Chikusho... [smiley=huh.gif]

Title: Re: New BASTARD is out there
Post by Charlie on Aug 16^th, 2005, 8:18pm

Yikes.

Charlie http://www.subscribe.smileygenerator.us/all/albums/0riginals/eekout.gif?SSImageQuality=Full

Title: Re: New BASTARD is out there
Post by Redneck on Aug 16^th, 2005, 8:48pm

Kevlar in place, adware already updated, avast updated, microsoft anitspyware updated, spywareblaster updated, spysubtract (now trend micro) updated, windows firewall and windows updated. Network at the office already cleaned it out. And a couple more I aint a telling about ;)

Title: Re: New BASTARD is out there
Post by Opus on Aug 16^th, 2005, 9:06pm

It is a worm, it doesn't require user intervention to infect like a virus does, it attacks and infects vulnerable systems automatically. Since it only affects Microsoft Windows systems, only those users need to be concerned. This worm affects Windows 2000 ( NT5.0) and can be stopped by getting the recent updates, blocking port 445 ( which will affect file sharing with other windows systems and samba servers) and disabling Universal Plug and Play.

Opus/Paul

Title: Re: New BASTARD is out there
Post by Opus on Aug 16^th, 2005, 9:18pm

More on the worm (http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/index.html)

Sorry but the site seems to be Slashdotted (http://slashdot.org/) so you might have to wait a while before it works.

Opus/Paul

Title: Re: New BASTARD is out there
Post by Opus on Aug 16^th, 2005, 9:22pm

on 08/16/05 at 20:48:28, Redneck wrote:

And all I had to do was install Ubuntu (http://www.ubuntulinux.org/) to get the same result.

Opus/Paul [smiley=smokin.gif]

Title: Re: New BASTARD is out there
Post by BobG on Aug 17^th, 2005, 1:10pm

We just got a notice that the worm has gotten into the U.S. Senate computers and has caused a work slow down.

Slowdown? Yeah right, how could any body tell?