W32/Zotob-K is a mass-mailing and network worm and IRC backdoor Trojan for the Windows platform.
W32/Zotob-K spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: PNP (MS05-039) and ASN.1 (MS04-007), as well as to network shares with weak passwords.
W32/Zotob-K runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels, including the ability to download and execute files on the infected computer.
W32/Zotob-K can spread by sending itself as an email attachment to email addresses it harvests from the infected computer, either as an attachment with a double-extension or as a zip file containing a file with a double-extension. W32/Zotob-K avoids sending emails to addresses containing certain strings in them.
W32/Zotob-K processes the emails it has harvested by splitting them into name and domain. Once it has sent itself to the emails it has harvested, it uses a predefined list of names with the harvested domains. W32/Zotob-K spoofs the sender, sending emails as if from one of the following at the same domain as the recipient:
For example if sending itself to email@example.com, W32/Zotob-K might send the email as if from firstname.lastname@example.org.
Emails sent by the worm have characteristics from the following: