How to Remove Zotob.

Automated Tools:

Microsoft Malware Remover

Symantec FixZotob.exe

Symantec FixZotob.exe Instructions

 

Microsoft Manual Zotob Clean:

This is an overview of Microsoft's solution

1. Install security update MS05-039 (must use I.E.)

You will have to:

Scan for Updates

Pick Updates

Install Updates

2. Disconnect from the Internet.

3. End the worm process.

Use Task Manager (Ctrl+Alt+Del)

To locate each process of Zotob by file name [See Zotob Variant Table for file names]

 

Zotob Variant Table

4. Delete the worm files from your computer.

Conduct a system search for the file names in the Zotob Variant Table or attempt to locate each in the C:\Windows\System32 or Winnt\System32.

5. Delete the worm registry entries.

Go to Microsoft's pages for an breakdown of the location of each registry key that zotob places entries in. Click on the links in the Zotob Variant Table for more info.

Hijackthis is a much quicker & Safer way to do this.

6. Clean the system host file.

On the Start menu, click Run.

Type notepad.exe and click OK.

On the File menu, click Open…

In the File name text box, type the name of the Windows directory folder and \system32\drivers\etc\hosts, for example, C:\winnt\system32\drivers\etc\hosts.

Search for text that begins with "Botzor2005 Made By…"

Select this text and all text that follows. Delete the selected text and save the file.

Close Notepad.

Restart your computer.

Sources:

Microsoft.com

Symantec.com

Who Create the Zotob?

According to MessageLabs, message security company, the Zotob worm was created by Diabl0, possible creator of the Mytob worm.

"A signature in the zotob worm code suggests it is written by somebody called Diabl0 and the IRC server it connects to is the same used in previous version of Mytob," said Alex Shipp, senior antivirus technologist at MessageLabs. "

Sources:

News.com.com - Joris Evers

Weblog.InfoWold.com - Tom Sullivan

What is Zobot?

The worm targets computers running Microsoft Windows 2000 that do not have MS05-039 installed.

The Zotob Worm has spread around the world and has brought down systems at CNN, ABC and other networks. It is a decendant of Mytob. Zotob exploits the “plug and play” features of unpatched Win 2000 systems and earlier versions of Windows XP.

The Zotob Worm, like most worms, slows down network connectivity, can shut down/reboot a system, attempts to spread to other systems on the network and ultimately will connect with a remote server to allow downloads of more destructive malware such as virus’ and Trojans.

Here are the Zotob Variants:

• W32.Zotob.A
• W32.Zotob.B
• W32.Zotob.C@mm
• W32.Zotob.D
• W32.Zotob.E
• W32.Zotob.F
• W32.Zotob.G
• W32.Zotob.I

Sources:

http://www.securityfocus.com/news/11283

Why was Zotob Created?

``We seem to have a botwar on our hands,'' said Mikko Hypponen, chief research officer at F-Secure. According to Mikko, some later variants actually remove competing malware.

What is alarming security professionals is how quickly the worm was implemented after windows announced the systems vulerability.

Sources:

Virus Writers at War

Nytimes.com - Reuters

Worm writers dig speed

businessweek.com - Arik Hesseldahl

How Serious is the Zotob Worm?

F-Secure calls it a Level 2: New virus causing large infections. Might be local to a specific region.

Symantec ranks Zotob with a medium damage level but high distrobution rate.

Sophos puts Zotob's prevalence level at just below medium.

So if the Zotob hardly causes medium damage why is it getting so much attention? Bruce Schneier put it best "..the only reason I can think of that CNN did rolling coverage on it is that CNN was hit by it."

Diabl0 - TurkCoder

Creator of Zotob and Mytob Worms

Hacked the following sites?

Viacom.ru

IRC = diabl0.turkcoders.ne

Finding Diabl0:

http://forum.mamboserver.com/showthread.php?t=34303

Great resources on Zotob:

Singe.rucus.net Summarizes Zotob History