Microsoft security software detects and removes this threat.
Win32/Zotob is a network worm that primarily targets Microsoft Windows 2000 computers that do not have Microsoft Security Bulletin MS05-039 installed. MS05-039 patches the Windows Plug-and-Play buffer overflow vulnerability.
Win32/Zotob can also infect computers running other Windows operating systems if it is delivered through email, instant messaging, or other routes. The worm has a backdoor component that connects to an IRC server to receive commands from attackers.

What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Win32/Zotob takes the following actions:
  • Copies itself to the Windows system folder.
  • Exits after running the copied worm file. The worm copy then takes the following actions:
    • Modifies the Windows registry so that the worm copy runs each time Windows starts.
    • Scans random IP addresses to establish connections with other computers. The worm sends exploit code to a remote computer when a connection is established. If the remote computer is running Windows 2000 and does not have MS05-039 installed, the exploit code causes the remote computer to download and run a copy of the worm.
    • Connects to an IRC server to receive commands such as the following from attackers:
      • Retrieve system information such as CPU speed, memory usage, Windows operating system, connection type, IP address, and Windows logon information.
      • Download and run files.
      • Remove the worm.
    • Modifies the Windows system hosts file, <system folder>\drivers\etc\hosts, to block access to certain Web sites.
    • Disables the Internet Connection Firewall/Internet Connection Sharing service by modifying a registry key.
Certain Win32/Zotob variants can also perform actions such as the following:
  • Terminate other processes and delete certain files in the Windows system folder or Windows program files folder.
  • Register the worm as a service. This causes the worm to start as a service each time Windows starts, so that the worm continues running regardless of whether any user is logged on. 
  • Monitor a specific port for requests. Upon receiving a request, the worm can send a copy of itself to another computer using a protocol such as TFTP.
  • Spread through e-mail by sending a copy of the worm as an attachment to e-mail addresses found on the infected computer.
  • Remove or disable certain adware, spyware, and malicious software applications.


Alerts from your security software might be the only symptom.


Alert level: Severe
This entry was first published on: Aug 17, 2005
This entry was updated on: Jul 16, 2015

This threat is also detected as:
  • W32/Zotob.worm (McAfee)
  • W32/Zotob.worm.gen (McAfee)
  • W32.Zotob (Symantec)
  • W32/Bozor.A.worm (Panda)
  • WORM_MYTOB.JS (Trend Micro)
  • W32/Zotob-A (Sophos)
  • Zotob.A (F-secure)
  • Win32/Zotob.A!Worm (CA)
  • (Kaspersky)