W32/Zotob.E Worm

 Virus Information - W32/Zotob.E Worm:

W32/Zotob.E is a worm. This worm is a variant of W32/Zotob.A. The worm will infect Windows systems and spreads through IRC (Internet Relay Chat) and network.

This worm exploits PnP vulnerability present in Windows as explained by Microsoft Security Bulletin MS05-039.

Upon execution, the worm copies itself as wintbp.exe in the Windows System folder.

It modifies the Windows registry at the following location to load itself during next startup;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also creates a mutex called wintbp.exe to check the presence of the worm in the system memory.

This worm connects to some websites in its pre-configured list to check the internet connectivity.

The worm randomly scans the computers in the network for Buffer OverFlow Vulnerability. If found then the worm creates a remote access to the victim computer and uploads a copy of the worm file via a TFTP port.

It also tries to terminate some processes running in the infected system.

Microsoft has released the patch for the MS05-039 vulnerability. It can be downloaded from the following link:

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

Users should apply these patches downloaded from the links provided above to remove the vulnerabilities inherent in the system.