Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Bozori.B

   
Aliases:

Win32.Worm.Zotob.F (Bitdefender), W32/Bozori.worm.b (McAfee), W32.Zotob.F (Symantec), Net-Worm.Win32.Bozori.b (Kaspersky)

Type: Worm
Affect: 32-bit Windows

 

Summary:

Win32/Bozori.B is a 10878 byte worm with IRC Bot components that take advantage of the PnP vulnerability for spreading. The worm is runtime protected by Yoda and packed by UPX.

Installation and Autostart Techniques:

Upon execution, the worm copies itself into the "%System%" folder as "wintbpx.exe". The worm deletes the origin file after a successful copy process.

***Note: %System% denotes the Windows System directory (e.g. C:\WINDOWS\SYSTEM32) as they differ on various versions of Microsoft Windows.***

Win32/Borazi.b adds the following registry key to make sure that it runs every time windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Wintbpx.exe" = "wintbpx.exe"

During first start of the worm the worm checks for existing worm Mutex (its own filename) to avoid double infections on one machine.

Exploiting Technologies:

The worm generates random IP addresses and attempts to connect on port 445 of the generated IP's to exploit the Plug and Play buffer overflow vulnerability [see MS05-039]. If the vulnerability exploit is successful, it executes code (shellcode) on the target machine, which instructs it to connect back to the source in order to retrieve a copy of the worm. (This copy is uploaded to the target machine by the created TFTP Server-Connection using "%Temp%\{ random number }.bat" TFTP-Commands file). The worm creates its own task for this purpose.

The worm executes TFTP.EXE locally on the compromised system to retrieve a copy of the worm with the name "%Windir%\a{ random number }.exe" from the connecting system, and starts this file after downloading. The worm lists all exploited IP addresses in the worm's IRC channel.

Process Termination:

The worm tries to terminate the following processes (if they are running):

wintbp.exe, svnlitup32.exe, service32.exe, mousebm.exe, llsrv.exe, pnpsrv.exe, winpnp.exe, csm.exe, system32.exe, botzor.exe, upnp.exe

These files are related to other malicious programs, such as older versions of this worm.

Other Details:

Win32/Borazi.b also provides IRC-Backdoor functionality with the following functions:

Download files
Download new worm updates
Execute files
Provide uptime information to the remote controller
Provide information about the worm variant to the remote controller
Notify IRC Channels/Operator via private message
Restart the computer
Provide FTP Server Access on the compromised system
Remove components

Win32/Borazi.b tries to connect to the following internet servers:

72.20.41.139

And to the following irc channel:

#Tbp4

References:

http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

History: Analysis and Write-up by: Michael St. Neitzel