Click Here to Install Silverlight*
United StatesChange|All Microsoft Sites
Microsoft
Security 

Malicious Software Encyclopedia: Worm:Win32/Zotob.D

Published: September 13, 2005

Worm:Win32/Zotob.D is a backdoor Trojan that targets computers running Microsoft Windows 2000 that do not have MS05-039 installed. It can also infect computers running other versions of Windows operating systems if it is delivered through e-mail, instant messaging, or other routes. The Trojan connects to an IRC server from the infected computer to receive commands from attackers.

**

Related Links

Removal Tools - Microsoft

Glossary Terms

Click the term to get the definition from our Security Glossary.

Trojan horse

virus

worm

**
On This Page
Threat OverviewThreat Overview
Aliases (Also Known As)Aliases (Also Known As)
Related Security BulletinsRelated Security Bulletins
Technical AnalysisTechnical Analysis
How to Prevent InfectionHow to Prevent Infection
How to Tell If Your Computer Is InfectedHow to Tell If Your Computer Is Infected
How to Recover from InfectionHow to Recover from Infection
Transmission MethodsTransmission Methods
Payload InformationPayload Information
Modified Registry EntriesModified Registry Entries
Affected PortsAffected Ports
Dropped FilesDropped Files

Threat Overview

Class/typeTrojan - Backdoor
DiscoveredOctober 7, 2008
CirculatingYes
Affected operating systemsWindows 2000
Affected software Not specified
Infection ratingLow
Recovery difficultyModerate
Damage ratingMedium
Transmission ratingLow
Size 51,326 bytes

Aliases (Also Known As)

Different antivirus vendors may be using different names to refer to this malicious software. Here are some of the names currently in use by antivirus software vendors participating in the Microsoft Virus Information Alliance (VIA):

  • F-secure: IRCBot.et
  • McAfee: Win32/Sdbot.worm!MS05-039
  • Sophos: W32/Dogbot-A
  • Symantec: W32.Zotob.D

    • Learn more about the Microsoft Virus Information Alliance.

    Related Security Bulletins

    The following Microsoft Security bulletins are related to this issue:

  • MS05-039 - Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege (899588)

    • Technical Analysis

    Worm:Win32/Zotob.D checks for the presence of a mutex named windrg322. If the mutex exists, the Trojan process exits so that only one instance of the Trojan is running. Otherwise, the Trojan takes the following actions:
    • Creates folder wbev under <system folder>.
    • Creates a copy of itself named windrg32.exe in <system folder>\wbev.
    • Exits after running windrg32.exe, the Trojan copy. The copy then performs the following operations:
      • Creates a batch file at <temp folder>\<random number>rm.bat.
      • Runs the batch file, which deletes the original Trojan file.
      • Creates value: WinDrg32
        with data: C:\Windows\System32\wbev\windrg32.exe
        in registry key:
        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        This registry modification causes the Trojan to run each time Windows starts.
      • Checks Internet connectivity by contacting certain Web sites.
      • Removes or disables certain applications related to adware, spyware, and malicious software by terminating processes, deleting registry values, and deleting files and folders in the Windows system folder and Windows program files folder.
      • Connects to one of several specified IRC servers and joins a specified IRC channel to receive commands from attackers such as the following:
        • Retrieve system information.
        • Break the username and password on the infected computer using a list of common words.
        • Download and run files.
        • View e-mail.
        • List threads and processes.
        • Terminate threads and processes.
        • Disconnect from or reconnect to IRC channels.
        • Use google.com to perform Web searches.
        • Attempt to exploit Windows vulnerability MS05-039 on other computers in the following manner. An attacker sends IRC command scan.pnp to the infected computer. The infected computer then opens an FTP server on its TCP port 29463, scans randomly generated IP addresses at their TCP port 445, and sends exploit code when a connection is established. If the exploit code succeeds, the newly exploited computer opens a command shell and the previously infected computer sends a shell script to instruct the newly exploited computer to download a copy of the Trojan using FTP.

    How to Prevent Infection

    Take the following steps to help prevent infection on your system:
    • Enable a firewall on your computer.
    • Get the latest computer updates.
    • Use up-to-date antivirus software.

    Enable a firewall on your computer

    Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
    To turn on the Internet Connection Firewall in Windows XP
    1. Click Start, and click Control Panel.
    2. Click Network and Internet Connections, and click Network Connections. If you do not see Network and Internet Connections, click Switch to Category View.
    3. Highlight a connection that you want to help protect, and click Change settings of this connection.
    4. Click Advanced, and select Protect my computer and network by limiting or preventing access to this computer from the Internet.
    5. Click OK.

    Get the latest computer updates

    Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Microsoft Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
    To turn on Automatic Updates in Windows XP
    1. Click Start, and click Control Panel
    2. Click Performance and Maintenance. If you do not see Performance and Maintenance, click Switch to Category View.
    3. Click System.
    4. Click Automatic Updates, and select Keep my computer up to date.
    5. Select a setting. Microsoft recommends selecting Automatically download the updates, and install them on the schedule that I specify and setting a regular update time.
    6. If you choose to have Automatic Updates notify you in step 5, you will see a notification balloon when new downloads are available to install. Click the notification balloon to review and install updates.

    Use up-to-date antivirus software

    Most antivirus software can detect and prevent infection by known malicious software. You should always run antivirus software on your computer that is updated with the latest signature files to automatically help protect you from infection. If you don't have antivirus software installed, you can get it from one of several companies. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx

    How to Tell If Your Computer Is Infected

    There are no readily apparent indications that your computer is infected with Worm:Win32/Zotob.D. However, the following symptoms may indicate that your computer is infected by this Trojan:
    • Presence of the file <system folder>\wbev\windrg32.exe.
    • Presence of value: WinDrg32
      with data: <system folder>\wbev\windrg32.exe
      in the following registry keys:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • The Processes tab in Windows Task Manager shows that process windrg32.exe is running.

    How to Recover from Infection

    Automatic Recovery
    To attempt to automatically remove this threat, run one of the following removal tools:

    Manual Recovery

    To recover manually from infection by Worm:Win32/Zotob.D, follow these steps:
    1. Install Windows security update MS05-039.
    2. Disconnect from the Internet.
    3. End the Trojan process.
    4. Delete the Trojan file from your computer.
    5. Delete the Trojan registry entry.
    6. Restart your computer.
    7. Take steps to prevent re-infection.

    Install Windows security update MS05-039

    To install MS05-039 using Windows Update
    1. Go to the Windows Update Web site at windowsupdate.microsoft.com.
    2. On the Windows Update site, click Scan for Updates. Windows Update scans your computer and returns a list of critical updates, including service packs.
    3. In the Pick updates to install list, click Critical Updates and Service Packs. Windows Update creates a list of the updates appropriate for your computer, including MS05-039 if it is not installed. Critical updates are selected for download automatically.
    4. Click Review and install updates, and then click Install Now. You may need to restart your computer after installing the updates.

    Disconnect from the Internet

    To help ensure that your computer is not actively infecting other computers, disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps.

    End the Trojan process

    To end the Trojan process
    1. Press CTRL+ALT+DEL once and click Task Manager.
    2. Click Processes and click Image Name to sort the running processes by name.
    3. Select the process windrg32.exe, and click End Process.

    Delete the Trojan file from your computer

    To delete the Trojan file from your computer
    1. Click Start, and click Run.
    2. In the Open field, type the name of the system folder, for example C:\Windows\System32 
    3. Click OK.
    4. Click Name to sort the folders and files by name.
    5. Delete the folder wbev if it is in the list. This deletes the wbev folder as well as the Trojan file it contains.
    6. On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
    7. Click Yes to confirm the deletion.

    Delete the Trojan registry entry

    Worm:Win32/Zotob.D creates an entry in the Windows registry that causes the Trojan to run each time Windows starts. This entry should be deleted.
    To delete the Trojan registry entry
    1. On the Start menu, click Run.
    2. Type regedit and click OK.
    3. In the left pane, navigate to the key:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    4. In the right pane, right-click the following value, if it exists: WinDrg32
    5. Click Delete and click Yes to delete the value.
    6. Close the Registry Editor.

    Restart your computer

    To restart your computer
    1. On the Start menu, click Shut Down.
    2. Select Restart from the drop-down list and click OK.

    Take steps to prevent re-infection

    Do not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.

    Transmission Methods

    MethodDescription
    Exploits VulnerabilityExploits the Plug-and-Play vulnerability fixed in Microsoft Security Bulletin MS05-039.

    Payload Information

    Payload typeTriggerDescription
    Creates files
    Execution
    Copies itself to <system folder>\wbev\windrg32.exe.
    Compromises Security
    Execution
    Connects to an IRC server to receive commands from attackers.
    Release information
    Execution
    Can release system information and other data to attackers through an IRC channel.

    Modified Registry Entries

    Added registry entries
    KeyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Value nameWinDrg32 [String]
    Changed registry entries
    KeyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Value nameWinDrg32 [String]
    Old value
    New value<system folder>\wbev\windrg32.exe [String]

    Affected Ports

    ProtocolPort number
    TCP445
    TCP29463

    Dropped Files

    Path<system folder>\wbev\Windrg32.exe
    File size51,326 bytes  to 51,326 bytes
    SHA1 hash25cb28442d1b92987264201e4e11990b698d8a35

    © 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement