[Dshield] Zotob.d <- Vigilante Virus

Wayne Beckham securityguy at dslextreme.com
Wed Aug 17 00:08:29 GMT 2005


Has anyone else seen this?  Symantec has identified a new variant of zotob,
version d.  Details at
http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.d.html

What I thought was really interesting was where it starts describing what
this worm deletes.  I didn't lookup all of the entries and just labeled them
off the top of my head.

# %SYSTEM%\pnpsrv.exe
# %SYSTEM%\winpnp.exe
# %SYSTEM%\csm.exe
# %SYSTEM%\botzor.exe  <--- Zotob.a virus 
# %PROGRAMFILES%\MyWebSearch < --- Spyware 
# %PROGRAMFILES%\MyWebSearch\*.exe <--- Spyware 
# %PROGRAMFILES%\Hotbar <--- Spyware 
# %PROGRAMFILES%\Hotbar\*.exe <--- Spyware 
# %PROGRAMFILES%\MyWay <--- Adware 
# %PROGRAMFILES%\MyWay\*.exe <--- Adware 
# %PROGRAMFILES%\180Solutions <--- Adware 
# %PROGRAMFILES%\180Solutions\*.exe <--- Adware 
# %PROGRAMFILES%\Common Files\WinTools <--- Spyware 
# %PROGRAMFILES%\Common Files\WinTools\*.exe <--- Spyware 
# %PROGRAMFILES%\Toolbar <--- Spyware 
# %PROGRAMFILES%\Toolbar\*.exe <--- Spyware 
# %PROGRAMFILES%\CxtPls <--- Spyware 
# %PROGRAMFILES%\NavExcel <--- Spyware 
# %PROGRAMFILES%\AutoUpdate <--- Adware 
# %PROGRAMFILES%\AutoUpdate\AutoUpdate.exe <--- Adware 
# %PROGRAMFILES%\EbatesMoeMoneyMaker <--- Adware 
# %PROGRAMFILES%\eZula <--- Spyware 
# %PROGRAMFILES%\eZula\mmod.exe <--- Spyware 
# %PROGRAMFILES%\Common Files\GMT <--- Spyware 
# %PROGRAMFILES%\Common Files\GMT\GMT.exe  <--- Spyware 
# %PROGRAMFILES%\Common Files\CMEII  <--- Adware

So what do you think?  Is there such a thing as a "vigilante virus?"  So far
we haven't seen any machines catch this, but I'm looking for one!

- Wayne Beckham, CISSP, MCSE




More information about the list mailing list