Worm.Zotob is a worm that opens a back door and exploits the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039) on TCP port 445.139

It makes use of the following Exploit:
– MS05-039 (Vulnerability in Plug and Play)

After launched, it will

1. Copy itself to Windows system directory as botzor.exe.
2. Add the following registry key to enable the worm to run at startup:HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentversionRun
    "WINDOWS SYSTEM" = botzor.exe
   HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentversionRunServices
    "WINDOWS SYSTEM" = botzor.exe
3. Scan IP addresses of vulnerable machines and try to spawn a remote shell.  The shell will release a script file which will access a FTP site to download a copy of itself to local machine.
4. Reboot the system5.       Modify the HOSTS file and block the access to certain security websites.

    

If you are on a network or have a full-time connection to the Internet, such as a DSL or cable modem, disconnect the computer from the network and Internet. Disable or password-protect file sharing, or set the shared files to Read Only, before reconnecting the computers to the network or to the Internet. Because this worm spreads by using shared folders on networked computers, to ensure that the worm does not reinfect the computer after it has been removed, it will be recommended sharing with Read Only access or by using password protection.

This tool can remove Worm.Zotob Virus, including :
Worm.Zotob,Worm.Zotob.b,Worm.Zotob.c,Worm.Zotob.d,Worm.Zotob.e,
Worm.Zotob.f  etc.

OR

Update your Rising Antivirus 2006 to version 17.40.02 or above and perform a full scan of your computer. Enable Auto-Protect ability when connecting to internet. Rising Antivirus 2006 can protect your system against malicious threat.

Remove W32.Zotob Virus