W32/Zotob.X is a worm. This worm is a variant of W32/Zotob.A. The worm will infect Windows systems. The worm spreads through email and network.

This worm exploits PnP vulnerability present in Windows as explained by Microsoft Security Bulletin MS05-039.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

Important Notification
MEMBERS SUPPORT
*DETECTED* Online User Violation
Security Measures
WARNING MESSAGE YOUR SERVICES NEAR TO BE CLOSED
Notice Account limitation
Your Account is Suspended
Your Account is Suspended For Security Reasons
You have successfully updated your password
Your Password has been updated
Your password has been successfully updated

The body of the infected mail will be any one of the following;

Dear [user] Member,

Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service.

If you choose to ignore our request, you leave us no choice but to cancel your membership.

Virtually yours,
The [domain] Support Team

Dear [user] Member,

We have temporarily suspended your email account [email account].

This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.

See the details to reactivate your [email account] account.

Sincerely,
The [domain name] Support Team

+++ Attachment: No Virus (Clean)
+++ {domain name of affected network} Antivirus - www. [domain name]

Dear user [user],

You have successfully updated the password of your [domain name] account.

If you did not authorize this change or if you need assistance with your account, please contact customer service at:[email address]

Thank you for using [domain name]!
The [domain name] Support Team

+++ Attachment: No Virus (Clean)
+++ [domain name]Antivirus - www. [domain name]

The infected attachment will be;

[random characters].zip

The attached archive file contains a double extension file, the first extension can be any one of these;

doc, txt or htm.

The second extension can be any one of these;

exe, pif, scr or zip.

Upon execution of the infected attachment, the worm copies itself as windows.exe in the Windows folder.

The worm modifies registry at the following location to register itself as a service.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft Windows System

To propagate itself, the worm scans the files having the following extensions and collects all the available email addresses from the infected system.

asp, adb, dbx, htm, php, pl, sht, tbb and wab.

Microsoft has released the patch for the MS05-039 vulnerability. It can be downloaded from the following link:

http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx

Users should apply this patch downloaded from the link provided above to remove the vulnerability inherent in the system.

This worm first appeared on February 6, 2006.

 Other names of W32/Zotob.X Worm:

This Worm is also known as WORM_ZOTOB.X .