1. Home > Virus prevention >

Extreme wave virus technical analysis report

Virus name: I-Worm/Zobot

Virus type: worm, backdoor

Virus size: 22528 bytes

Method of transmission : Network

Degree of harm: ★★★

   On August 15, 2005, Jiangmin Anti-Virus Center intercepted a code execution vulnerability that exploited Microsoft’s “plug and play service” (MS05). -039) worm virus I-Worm/Zotob. The virus uses the latest vulnerabilities to spread, and can accept hacker orders through IRC, so that the infected computer is completely controlled by the hacker.


  The specific technical characteristics of the virus are as follows:

   1. After the virus runs, the following files will be created:

  %SystemDir%\botzor.exe, 22528 bytes


  Figure 1

  2. Add the following startup key to the registry:

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Run]

  "WINDOWS SYSTEM" = botzor.exe

  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

  "WINDOWS SYSTEM" = botzor.exe

   In this way, the virus can be executed automatically when Windows starts.


  Figure 2

  3. Connect to the IRC server through TCP port 8080, accept and execute hacker commands. Can cause the infected computer to be completely controlled by the hacker.

  4. Open the FTP service on TCP port 33333 to provide virus file download function. Use the Microsoft Plug and Play service remote code execution vulnerability (MS05-039) to spread. If the exploit code runs successfully, it will cause the remote target computer to download the virus program from the FTP service of the currently infected computer. If the vulnerable code does not run successfully, the services.exe process may crash on the remote computer that has not been patched.


  Figure 3

  5. Modify the %SystemDir%\drivers\etc\hosts file to block the websites of a large number of foreign anti-virus and security vendors. And have the following text:

  MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!

  For this virus, KV kills the virus The software can be checked and killed after the virus database is upgraded on August 15th. Jiangmin Company reminds users to update the virus database in time, turn on real-time monitoring, and install Microsoft security patches immediately. Protect your system from the threat of this virus.

This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/:http://www.internetweblist.com/Virus prevention/21832.html

Contact Us

Online consultation:click here to give a message