W32/Zotob.J Worm

Subscribe to Virus Alert
Mailing List

Enter your Email
(Ex : john@company.com)

W32/Zotob.J Worm

Information about the W32/Zotob.J Worm:

W32/Zotob.J is a mass mailing worm. This worm is a variant of W32/Zotob.A. The worm will infect Windows systems and spreads through email and network.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

Your Password has been updated
Important notification
Your Account is Suspended
WARNING: Your Services Near to be Closed
Security Measures
You have successfully updated your password
*DETECTED* Online User Violation
Your Account is suspended for Security Reasons

The body of the infected mail will be any one of the following;

Dear [domain name] Member,
Your e-mail account was used to send a huge amount of unsolicited spam
messages during the recent week. If you could please take 5-10 minutes
out of your online experience and confirm the attached document so you
will not run into any future problems with the online service.
If you choose to ignore our request, you leave us no choice but to cancel
your membership.
Please also visit our irc server irc.unixirc.net 6667 #ccpower
Virtually yours,
The [domain name] Support Team
+++ Attachment: No Virus found
+++ [domain name] Antivirus - www.[domain name]

Dear [name] Member,
We have temporarily suspended your email account [EMAIL ADDRESS].
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of
subscription due to an internal error within our processors.
See the details to reactivate your [EMAIL ADDRESS] account.
Please also visit our irc server irc.unixirc.net 6667 #ccpower
Sincerely,The [domain name] Support Team
+++ Attachment: No Virus (Clean)
+++ [domain name] Antivirus - www.[domain name]

Dear user [name],
It has come to our attention that your [domain name] User Profile ( x )
records are out of date. For further details see the attached document.
Please also visit our irc server irc.unixirc.net 6667 #ccpower
Thank you for using [domain name]!
The [domain name] Support Team
+++ Attachment: No Virus (Clean)
+++ [domain name] Antivirus - www.[domain name]

Dear user [name],
You have successfully updated the password of your [domain name] account.
If you did not authorize this change or if you need assistance with your account, please contact [DOMAIN] customer service at:[DOMAIN]
Please also visit our irc server irc.unixirc.net 6667 #ccpower
Thank you for using [domain name]!
The [domain name] Support Team
+++ Attachment: No Virus (Clean)
+++ [domain name]Antivirus - www. [domain name]

The infected attachment will be any one of the following;

Account-report
Account-details
Email-details
Account-password
Accepted-password
Email-password
Important-details
Password
Document.zip
Updated-password
New-password

The extension of the infected attachment will be any one of the following;

.zip
.exe
.htm
.doc
.pif
.scr
.txt

This worm exploits PnP vulnerability present in Windows as explained by Microsoft Security Bulletin MS05-039 on TCP Port 445.

The worm creates a remote access to an IRC Server through TCP port 5544 then downloads and executes the infected file.

The worm also creates ftp server and randomly scans for the computers with this flaw on the network. If found then the worm creates a remote access through TCP 445 and sends a script file 2pac.txt to the victim computer. This script file will download the worm file haha.exe from the infected computer and executes the same in the victim's computer.

Upon execution, the worm copies itself as fuck.exe in the Windows System folder.

It modifies the Windows registry at the following location to load itself during next startup;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

It also creates a mutex called B-O-T-Z-O-R to make sure that only one instance of worm is running in the system.

Microsoft has released the patch for the MS05-039 vulnerability. It can be downloaded from the following link:

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

Users should apply the patch downloaded from the link provided above to remove the vulnerability inherent in the system.

This worm first appeared on August 23, 2005.

Other names of W32/Zotob.J Worm:

This Worm is also known as W32.Zotob.J@mm, WORM_ZOTOB.H.

Click here to download a 30 day Evaluation Copy of
Protector Plus anti virus software for your operating system

About Protector Plus Antivirus Software Packages:

Proland Software is the developer of Protector Plus range of antivirus software packages. Protector Plus 2007 is available for Windows Vista, Windows 95/98/Me, Windows XP, Windows NT/2000/2003 servers and workstations, MS-Exchange 2000/2003, MS-DOS and NetWare servers.

Special Offer Order Protector Plus Antivirus software Now and get SpamChoke Antispam Software worth $29.95 FREE!

Protector Plus range of antivirus products offer on-line virus detection and removal. All the packages have the ability to detect and isolate all types of viruses, trojans, worms and other types of malware.

These products are updated on a continuous basis and the latest upgrades for all the platforms are made available for downloading from this site.

Click here to order
Protector Plus anti virus software