Killing a Zombie

| 6 Comments | 2 TrackBacks

Rhye's niece wasn't sure exactly what was wrong with her computer - her main complaint was that it was running very sluggish (and had been for the last several months), and the computer was almost unusable now. She dropped off her computer here so I could take a long look at it and try to fix whatever was wrong with it.

If it wasn't just too much junk running on the machine, I suspected that there might be a virus or trojan on the machine, but I wasn't sure until I turned it on. Something immediately started trying to phone home (my DSL modem lights began flashing like crazy). There was no firewall software that appeared to be running on the machine, and Norton AntiVirus had started up, then became disabled, then it was terminated. Looking at the Task Manager, there were three or four processes that were all trying to hog the CPU, causing 90-100% CPU usage.

I shut down the computer and rebooted it in Safe Mode (with networking) so I could look at what was on the machine without anything malicious running in the background.

I never thought I would see one up close and personal, but Rhye's niece brought over a real live zombie PC (a machine infected with a virus / trojan horse that allows remote malicious users to send remote commands that are executed by the infected machine).

The first thing I wanted to do was run an online antivirus scanner on the machine. Earthlink (my ISP) has one which is provided by Symantec. I needed to download an ActiveX control from Symantec's web site in order to do the scan, but the computer would never download the control.

I then tried to go directly to Symantec's web site and use the online virus scanner there, but the browser only came up with a "Cannot find server / DNS Error" page. This was very suspicious to me, so I examined the \windows\system32\drivers\etc\hosts file to see if anything strange was going on there.

One or more of the viruses had modified the hosts file to block access to major antivirus and firewall vendor sites. These sites were appended at the bottom of the hosts file (which were below 15-20 blank lines so you wouldn't see them unless you scrolled the window) and mapped to :

Browsing to any of the above sites would cause a "Cannot find server / DNS Error" page to be displayed.

After deleting the above entries in the hosts file, I was able to download the ActiveX control and scan the computer for viruses using Earthlink's online virus scanner. The following viruses / worms / trojans were *all* detected on the machine:


  • [No information available]

Trojan dropper

  • Drops Trojan horses or Backdoor Trojans onto an infected computer, and then executes them.


  • Trojan is carried inside of an infected .jpg file
  • Attempts to download a file from a URL specified by the author and save it as "m00.exe"
  • Executes m00.exe


  • Changes the Internet Explorer home page and search page without permission.
  • May add entries to %Windows%\hosts or %System%\drivers\etc\hosts, to redirect to a different Web site.
  • May add a list of URLs to the Favorites folder, some of which may contain adult content.


  • Modifies the file %System%\drivers\etc\hosts, so that attempts to connect to antivirus vendor web sites fail.
  • Connects to an IRC channel and awaits commands.
  • Can run other commands.
  • Can retrieve files via FTP and HTTP.
  • Can restart the computer.
  • Can list processes, and kill a particular process.
  • Can perform HTTP, ICMP, SYN, and UDP floods.
  • Can retrieve email addresses stored on the computer.
  • Can retrieve a list of email addresses via HTTP.
  • Can retrieve a given URL.
  • Can measure the speed of its Internet connection by sending HTTP GET request to one of over 20 hosts.
  • Can sniff HTTP, FTP, and IRC traffic.
  • Can disable other worms by deleting their files and associated registry values and terminating their processes.
  • Starts an FTP server on a randomly selected TCP port.
  • Terminates many security software processes.


  • Connects to an IRC server and listens for commands.
  • Can spread itself using popular file sharing programs such as Kazaa, Bearshare, and Grokster.
  • Can perform a Denial of Service attack on a specified server.
  • Can open/close the CD-ROM drive on command.
  • Can post the CD-Keys of certain games to an IRC channel.


  • Opens a randomly selected TCP port to connect to a hacker.
  • Connects to a predefined IRC channel, using its own IRC client, and listens for the commands from a hacker.
  • Can download and execute files.
  • Can steal system information.
  • Can add new accounts.
  • Steals the CD keys of various games.
  • Ends numerous processes that are associated with antivirus and firewall software.
  • Attempts to kill some processes associated with other worms.


  • Connects to an IRC server, using its own IRC client, and then listens for commands.
  • Can download and execute files.
  • Can steal system information.
  • Can add new accounts.
  • Can perform Denial of Service (DoS) attacks.
  • Queries the registry to steal the CD keys of various games.
  • Terminates antivirus and firewall software, as well as the process names associated with other worms.
  • May add entries to the %System%\drivers\etc\hosts file to disable access to certain antivirus Web sites.


  • Connects to an IRC channel and listen for commands from the hacker.
  • Can download and execute files.
  • Can perform Denial of Service (DoS) attacks against a target defined by the hacker.


  • Attacks randomly generated IP addresses.
  • Opens backdoor ports.
  • Opens connections to predetermined IRC servers and waits for commands from an attacker.
  • Performs Denial of Service (DoS) attacks.


  • Can be configured to create and share a folder on the KaZaA file-sharing network.
  • Can be configured to perform Denial of Service (DoS) attacks on specified servers.
  • Can be configured to terminate security product processes.
  • Connects to specified IRC servers and joins a channel to receive commands.
  • May log keystrokes to a file in the System folder.
  • May send personal information, such as the operating system, IP address, user name, and so on, to the IRC server.
  • May open a backdoor port.

The antivirus scan also picked up a fair amount of ad-ware. Based on the amount of ad-ware found, I install Ad-Aware SE Personal and scanned the computer with it. Between the antivirus and Ad-Aware scans, over 1,200 files were identified that belonged to 18 different kinds ad-ware (which are now gone).

Once the viruses, worms, trojans, and ad-ware were gone, the next task was to re-secure the computer so it could not be re-infected again (at least not easily). The computer was only running WinXP SP1, with no firewall and an old antivirus program (Norton AntiVirus 2002) with an expired subscription.

I installed Windows XP SP2, downloaded and installed all the security patches from Microsoft, activated the built-in WinXP SP2 firewall, uninstalled the expired Norton Antivirus 2002, and installed the free edition of AVG AntiVirus.

Rhye wrote up a nice two page list of safe internet browsing tips for her niece (both things to do and not to do), so hopefully her computer will not get infected again. I strongly urged Rhye's niece to change all of the passwords for any account that she's accessed with her computer, as the viruses could have easily captured them and sent them out over the internet.

I've read a number of stories about hackers who command armies of zombie PCs just like this one, and Rhye and I see their effect just about every day on our web sites (comment and trackback spam). I never imagined that I would actually get to look at one and have to try to clean it up. It actually felt pretty good to get rid of a zombie PC, but I know there's thousands more out there.

Update: I almost forgot - when the computer was brought over, there was a diskette in the floppy drive. I took it out while I was working on the computer and forgot all about it. When I was about ready to pack everything up, I remembered the diskette, and thought I probably should scan it for viruses too. Good thing I did - the diskette had 7 MS-Word documents on it, and 3 of them were infected with a Word macro virus.

2 TrackBacks

Last weekend, my niece brought over her PC to have it fixed. My boyfriend, TweezerMan, our in-house Tech Geek, usually takes care of our PC problems here at home and so my niece brought her PC hoping he can work... Read More

This is a good description of cleaning up a zombie computer that had been completely taken over by trojans and malware. I always tend to forget the hosts file as a factor in these situation. Then again, I'm not sure I've ever encountered one so b... Read More


thanks for the links for the free antivirus software, mine was out of date - yeah I know I should know better but i installed AVG today and ran it. I had viruses - trojan dropper and java byte verify on my computer..oops, all better now :)

OK, so I'm bad. But you know what I would have done first? I would have installed Ethereal and let the machine run for a while, capturing what went on.

And then I'd have reformatted the whole machine after doing a backup (OK, hard to do if the processor spikes. Maybe clean it up first, then do the backup).

It would have been nice to study it for a while, but I had to take my system down to hook up the zombie PC. I spent two days working on it as it was, and I wanted to get my PC back.

Wiping the system and doing a clean install was plan B, if I couldn't clean it out and make sure it was free of viruses and trojans.

Hey Tweezerman-

Found this story via Google; came across my first zombie machine tonight working on a friends' computer; this was a big help. Thanks!

found on wikipedia website..:) good and looks like it was recently commented on to....and now for me to add a comment on the year 2006 of January..and by the way good article, but u should of taken pics...;) u know of the files...the ones that were infected...:)

Found in Wiki too =)