W32/Zotob.C Worm

 Virus Information - W32/Zotob.C Worm:

W32/Zotob.C is an email worm. This worm will infect Windows systems. This worm spreads through email and network.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

Hello
Warning!!
Important!
**Warning**
Confirmed...

The body of the infected mail will be any one of the following;

hey!!
looooool
0K here is it!
That's your photo!!?
We found a photo of you in ...

The infected attachment will be any one of the following;

loool
photo
image
picture
sample
your_photo
webcam_photo

The extension of the infected attachment will be any one of the following;

.scr
.pif
.exe
.cmd
.bat

Upon execution of the infected attachment, the worm copies itself as per.exe in the Windows System folder.

It alters the windows registry at the following location to load itself during next startup;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

This worm exploits LSASS and PnP vulnerabilities present in Windows as explained by Microsoft Security Bulletin MS04-011 and MS05-039.

Microsoft has released the patch for the MS04-011 and MS05-039 vulnerabilities. It can be downloaded from the following links:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

Users should apply these patches downloaded from the links provided above to remove the vulnerabilities inherent in the system.

The worm modifies the HOSTS file to block access to anti-virus websites.

To propagate itself, the worm scans the following extensions and collects the available email addresses from the infected system;

.wab, .dbx, .txt, .htm, .html, .jsp, .asp, .xml, .cgi, .php, .pl, .sht, .tbb and .adb.

The worm sends a copy of itself to all the collected email addresses using its own SMTP engine.