We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Worm:Win32/Zotob.A
Aliases: W32/Zotob.worm (McAfee) W32.Zotob.A (Symantec) W32/Bozor.A.worm (Panda) Zotob.A (Trend Micro) W32/Zotob-A (Sophos) Zotob.A (F-secure) Win32/Zotob.A!Worm (CA) Net-Worm.Win32.Mytob.cd (Kaspersky) Worm.Win32.Mytob.FR (Global Hauri)
Summary
-
Install security update MS05-039.
-
Disconnect from the Internet.
-
End the worm process.
-
Delete the worm files from your computer.
-
Delete the worm registry entries.
-
Clean the system host file.
- Restart your computer.
-
Take steps to prevent re-infection.
-
Run an antivirus scan.
Install security update MS05-039
-
Go to the Windows Update Web site at windowsupdate.microsoft.com.
-
On the Windows Update site, click Scan for Updates. Windows Update scans your computer and returns a list of critical updates, including service packs.
-
In the Pick updates to install list, click Critical Updates and Service Packs. Windows Update creates a list of the updates appropriate for your computer, including MS05-039 if it is not installed. Critical updates are selected for download automatically.
-
Click Review and install updates, and then click Install Now. You may need to restart your computer after installing the updates.
Disconnect from the Internet
End the worm process
-
Press CTRL+ALT+DEL once and click Task Manager.
-
Click Processes and click Image Name to sort the running processes by name.
-
Select the process botzor.exe, and click End Process.
Delete the worm files from your computer
-
Click Start, and click Run.
-
In the Open field, type the name of the system folder, for example, C:\Winnt\system32\
-
Click OK.
-
Click Name to sort files by name.
-
If botzor.exe is in the list, delete it.
-
On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
-
Click Yes.
-
Press CTRL+ALT+DEL once and click Task Manager.
-
Click Processes and click Image Name to sort the running processes by name.
-
Confirm that botzor.exe is not in the list.
Delete the worm registry entries
-
On the Start menu, click Run.
-
Type regedit and click OK.
-
In the left pane, navigate to the key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane, right-click the following value, if it exists:
WINDOWS SYSTEM -
Click Delete and click Yes to delete the values.
-
Repeat steps 3-4 for HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices.
-
Close Registry Editor.
Clean the system host file
-
On the Start menu, click Run.
-
Type notepad.exe and click OK.
-
On the File menu, click Open…
-
In the File name text box, type the name of the Windows directory folder and \system32\drivers\etc\hosts, for example, C:\winnt\system32\drivers\etc\hosts.
-
Search for text that begins with "Botzor2005 Made By…"
-
Select this text and all text that follows. Delete the selected text and save the file.
-
Close Notepad.
Restart your computer
-
On the Start menu, click Shut Down.
-
Select Restart from the drop-down list and click OK.
Take steps to prevent re-infection
Run an antivirus scan
Additional remediation instructions for Worm:Win32/Zotob.A
- Stopping and starting the Internet Connection Firewall/Internet Connection Service:
- For Windows 7: http://windows.microsoft.com/en-US/windows7/What-are-Administrative-Tools
- For Windows Vista: http://windows.microsoft.com/en-US/windows-vista/What-are-Administrative-Tools
- For Windows XP: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sys_srv_start_service.mspx
- Recreating a clean HOSTS file: http://support.microsoft.com/kb/972034
- For other support and help related articles, go to:
- Windows 7: http://support.microsoft.com/gp/windows7
- Windows Vista: http://support.microsoft.com/ph/11732
- Windows XP: http://support.microsoft.com/ph/1173
- Microsoft Security TechNet Center: http://technet.microsoft.com/security/default.aspx