[Dshield] Zotob.d <- Vigilante Virus
Wayne Beckham
securityguy at dslextreme.com
Wed Aug 17 00:08:29 GMT 2005
Has anyone else seen this? Symantec has identified a new variant of zotob,
version d. Details at
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.d.html
What I thought was really interesting was where it starts describing what
this worm deletes. I didn't lookup all of the entries and just labeled them
off the top of my head.
# %SYSTEM%\pnpsrv.exe
# %SYSTEM%\winpnp.exe
# %SYSTEM%\csm.exe
# %SYSTEM%\botzor.exe <--- Zotob.a virus
# %PROGRAMFILES%\MyWebSearch < --- Spyware
# %PROGRAMFILES%\MyWebSearch\*.exe <--- Spyware
# %PROGRAMFILES%\Hotbar <--- Spyware
# %PROGRAMFILES%\Hotbar\*.exe <--- Spyware
# %PROGRAMFILES%\MyWay <--- Adware
# %PROGRAMFILES%\MyWay\*.exe <--- Adware
# %PROGRAMFILES%\180Solutions <--- Adware
# %PROGRAMFILES%\180Solutions\*.exe <--- Adware
# %PROGRAMFILES%\Common Files\WinTools <--- Spyware
# %PROGRAMFILES%\Common Files\WinTools\*.exe <--- Spyware
# %PROGRAMFILES%\Toolbar <--- Spyware
# %PROGRAMFILES%\Toolbar\*.exe <--- Spyware
# %PROGRAMFILES%\CxtPls <--- Spyware
# %PROGRAMFILES%\NavExcel <--- Spyware
# %PROGRAMFILES%\AutoUpdate <--- Adware
# %PROGRAMFILES%\AutoUpdate\AutoUpdate.exe <--- Adware
# %PROGRAMFILES%\EbatesMoeMoneyMaker <--- Adware
# %PROGRAMFILES%\eZula <--- Spyware
# %PROGRAMFILES%\eZula\mmod.exe <--- Spyware
# %PROGRAMFILES%\Common Files\GMT <--- Spyware
# %PROGRAMFILES%\Common Files\GMT\GMT.exe <--- Spyware
# %PROGRAMFILES%\Common Files\CMEII <--- Adware
So what do you think? Is there such a thing as a "vigilante virus?" So far
we haven't seen any machines catch this, but I'm looking for one!
- Wayne Beckham, CISSP, MCSE
More information about the list
mailing list