W32.Zotob.A
A self-executing worm W32.Zotob.A is spreading in the wild. It exploits the vulnerability in “Microsoft Windows Plug and Play service” mentioned in CERT-In vulnerability note CIVN-2004-73, through TCP port 445. It randomly scans (Class B IPs) for the vulnerable systems and opens a command shell on port 8888 which is used to download and execute the worm via FTP (FTP.EXE using script 2pac.txt file) from the attacker's computer (TCP port 33333, haha.exe). It installs a FTP server listening on port 33333 which could be used to propagate the worm to the other vulnerable systems.
This worm also opens a Backdoor which tries to connect to an IRC server (diabl0.turkcoders.net on TCP port 8080) and allows the attackers to gain access and take control over the system.
There are also some variants of Sdbot which are exploiting this vulnerability.
Users are advised to apply appropriate patches as mentioned in Microsoft Security Bulletin MS05-039 and update Antivirus software to mitigate the risk. For further details and instructions regarding disinfection refer to following URLs:
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91 11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
