Zotob Wormslaying

Time for a geeky break from political/military rants...

As you may have heard, a new worm is spreading very quickly in the wild. No one seems to be able to pick a name for it—it’s known as Zotob (Symantec), RBOT.CBQ (Trend Micro), Bozori (F-Secure), Tpbot (Sophos) or W32/IRCbot.worm!MS05-039 (McAfee...with a name that just rolls off the tongue!), depending on who you ask. The worm exploits a recent Microsoft vulnerability (MS05-039) that takes advantage of a flaw in the Plug and Play service. Some variants are also able to exploit an older ASN.1 vulnerability (MS04-007), so you should be sure to patch this vulnerability as well.

Here are some brief instructions on how to rid yourself of the worm, in addition to the obvious stuff like keeping your antivirus software up to date. I'd go into further detail, but hey...this is free, handholding costs extra. =)

Worm/Vulnerability Information
Symantec Security Response has good information on the latest variants. Links to each variant are available from their “Latest Virus Threats” page.

Microsoft has a page describing the MS05-039 patch that protects against this vulnerability.

Removing the Worm
It’s possible to remove the worm manually by killing the process, deleting the dropped files, and manually cleaning up the registry, but Symantec created a remover that does all of this automatically. This is probably the easiest way to remove the worm at this time, unless you see a variant that it can’t clean.

1. Identify the worm process
Run Process Explorer (available free from Sysinternals) and check for the presence of a worm process (note that this list will change as new variants are released):

• W32.Zotob.A – botzor.exe (may be described as “WINDOWS SYSTEM” in process list)
• W32.Zotob.B – csm.exe (may be described as “csm Win Updates” in process list)
• W32.Zotob.C@mm – per.exe (may be described as “WINDOWS SYSTEM” in process list)
• W32.Zotob.D – windrg32.exe (may be described as “WinDrg32” in process list)
• W32.Zotob.E – wintbp.exe (may be described as “Wintbp” in process list)
• W32.Zotob.F – wintbpx.exe (may be described as “Wintbpx” in process list)
• W32.Zotob.G – windrg32.exe (may be described as “WinDrg32” in process list)

2. Delete the worm with the Zotob Remover
A standalone Zotob worm remover is available from Symantec. Note that you can also run this tool silently from the command line if you'd like to script it...see their instructions for details.
Currently, version 1.30 of the Zotob remover is capable of dealing with 6 variants:

• W32.Zotob.A
• W32.Zotob.B
• W32.Zotob.C@mm
• W32.Zotob.D
• W32.Zotob.E
• W32.Zotob.F

At present, the tool will not remove a newer variant, W32.Zotob.G. It should be manually removed if found, using instructions available here.

3. Patch the System
After deleting the worm, apply the MS05-039 patch, restart the system, and verify that the worm process is not running. Patches from Microsoft are available here:

• Windows 2000 SP4
• Windows XP SP1/SP2