Alert AL05-001 -- W32.Zotob.E,W32/ircbot.worm!ms05-039, WORM_RBOT.CBQ : Critical Infrastructure Protection gand Emergency Preparedness

Français	Contact Us	Help	Search	Canada Site
About Us	Policy	Research	Programs	Newsroom

Public Safety and Emergency Preparedness Canada - Sécurité publique et Protection civile Canada

You have accessed an archived page on the Public Safety and Emergency Preparedness Canada website. This material may be outdated. Please consult our new site for up-to-date information.

Alert Number: AL05-001
W32.Zotob.E,W32/ircbot.worm!ms05-039, WORM_RBOT.CBQ
16 August 2005

Purpose
The purpose of this advisory is to bring attention to the W32.Zotob.E worm (aka W32/ircbot.worm!ms05-039, WORM_RBOT.CBQ).

Assessment
This worm opens a back door and exploits the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039) on TCP port 445. Upon execution, this worm drops a copy of itself in the Windows system folder as WINTBP.EXE.

It creates the following registry entry to ensure it automatically executes during every Windows startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
wintbp.exe = "wintbp.exe"

This worm creates multiple threads, each capable of generating a random IP addresses for it to target. Each thread checks if port 445 is open on the target IP addresses. If it is open, it attempts to exploit the target system. If successful, this worm opens a remote shell on port 7778. It then opens a TFTP service and drops and executes a file in the exploited system. After execution, this worm then creates a script batch file to delete the dropped file.

This worm also connects to the IRC server 72.20.27.115, if it is active, and joins the channel #tbp. It sends the following messages to the channel:

{Random} :ER DL FH
{Random} :ER DL IF

Suggested Action
PSEPC recommends that you ensure your anti-virus detection software definitions are current.

Additional information about this worm is available at the following links:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM
%5FRBOT%2ECBQ&VSect=P
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.e.html
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=135491

Note to Readers

Public Safety and Emergency Preparedness Canada (PSEPC) collects information related to cyber and physical threats to, and incidents involving, Canadian critical infrastructure. This allows us to monitor and analyse threats and to issue alerts, advisories and other information products. To report threats or incidents, please contact the PSEPC Government Operations Centre (GOC) at (613) 991-7000 or opscen@ocipep-bpiepc.gc.ca by e-mail.

Unauthorized use of computer systems and mischief in relation to data are serious Criminal Code offences in Canada. Any suspected criminal activity should be reported to local law enforcement organizations. The RCMP National Operations Centre (NOC) provides a 24/7 service to receive such reports or to redirect callers to local law enforcement organizations. The NOC can be reached at (613) 993-4460. National security concerns should be reported to the Canadian Security Intelligence Service (CSIS) at
(613) 993-9620.

Links to sites not under the control of the Government of Canada (GoC) are provided solely for the convenience of users. The GoC is not responsible for the accuracy, currency or the reliability of the content. The GoC does not offer any guarantee in that regard and is not responsible for the information found through these links, nor does it endorse the sites and their content.

Last Updated: 10/25/2005

Important Notices