CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
image Top Threat:Zori.B image
Viruses
DreamingFox writes "Top Threat Name: W32.Zori.B (Symantec)
Affects: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

What it does: Zori.B spreads through Windows file shares. The virus infects .exe files by writing its code to the beginning of the files. Nine days after the original infection, the virus begins to delete files from all disks. The size of the infection code is 623,116 bytes.

How to avoid it: Use antivirus software and keep it up to date. Try to limit file shares to folders that do not contain programs.

How to remove it: Use antivirus software to scan the system for files infected with the virus and delete them.

Details:

When the Zori.B code is executed it performs the following actions:

1. It displays a graphic from a file named andylau.bmp.
2. It creates copies of itself with the following file names
* C:windows empssshost.exe
* %Windir%svchost.exe (%Windir% is usually c:windows)
3. It adds the value
Microsoft = %Windir%svchost.exe to the registry key
HKEY_LOCAL_MACHINESOFTWAREMicroSoftWindowsCurrentVersionRun to start itself when Windows starts.
4. It also adds the value:
(Default) = %Windir%svchost.exe %1 %* to the registry subkey:
HKEY_LOCAL_MACHINESOFTWAREClassesexefileshellopencommandto run it every time Windows starts
5. It adds the value
Version = 0x3E9 to the registry key
HKEY_LOCAL_MACHINESOFTWAREmysoft as a flag that indicates that the system is infected.
6. It opens a back door connection to youda2000.vicp.net on TCP port 1879 and listens for commands from the attacker.
7. It attempts to disable the following processes:
* pfw.exe
* kvfw.exe
* KAVPFW.EXE
* iamapp.exe
* nmain.exe
* freepp.EXE
* freekav.EXE
* freesys.EXE
* Iparmor.exe
* trojan_hunter.exe
* Rfw.exe
* rav
* taskmgr.exe
8. It attempts to delete the following values from the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun registry key:
* SKYNET Personal FireWall
* iDuba Personal FireWall
* iamapp
* rfw
* popproxy
* RavMon
* RavTimer

At this point, Zori.B begins to search all hard disks for .exe files. When it finds one, it infects it by prepending its code to files it finds. Infected files increase in size by 623,116 bytes. It may also spread by copying itself over Windows file shares. "
Posted on Sunday, 10 April 2005 @ 00:09:36 UTC by Paul (1829 reads)
[ Trackback ]		image

"Top Threat:Zori.B" | Login/Create an Account | 0 comments
Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register
 
Login
spacer
Nickname

Password

Security Code: Type Security Code: Usage signifies AUP acceptance
· New User? · Click here to create a registered account.
block bottom
Related Links
spacer
· del.icio.us!
· digg it!
· reddit!
· TrackBack (0)
· Microsoft
· Microsoft
· HotScripts
· W3 Consortium
· More about Viruses
· News by Paul

Most read story about Viruses:
Xupiter Virus!
block bottom
Article Rating
spacer
Average Score: 0
Votes: 0

Please take a second and vote for this article:

Bad
Regular
Good
Very Good
Excellent
block bottom
Options
spacer

Printer Friendly Page  Printer Friendly Page
block bottom
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
169ppm 0.129s (0.005s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer