'Zotob' Worm Makes Windows Rounds

By Nate Mook | Published August 15, 2005, 12:22 PM

A new worm has been detected spreading on unpatched Windows systems faster than previous worms, but reported infections have remained low for the moment. Dubbed "Zotob" by antivirus vendor Trend Micro, the worm takes advantage of a critical security hole in Windows that was patched last week.

On Friday, Microsoft acknowledged that exploit code had surfaced for at least two of the three vulnerabilities recently announced. The company said it was "disappointed that certain security researchers have breached the commonly accepted industry practice of withholding vulnerability data so close to update release and have published exploit code."

Zotob works by copying itself into the Windows System folder as either BOTZOR.EXE or CSM.EXE, and modifies a user's "hosts" file to prevent access to antivirus Web sites. The worm initiates an FTP server on port 3333 and scans IP addresses using port 445 for other vulnerable systems.

"Hundreds of infection reports were sighted in the United States and Germany," Trend Micro officials said in a statement.

Aside from propagating itself, however, Zotob also has built in backdoor capabilities. The worm connects to an Internet Relay Chat channel and awaits remote instructions from a malicious user. Due to such actions, Trend Micro has rated Zotob's damage potential as "high."

Trend recommends that Windows users ensure they have installed the latest patches from Microsoft and run an up-to-date antivirus utility.

Comments

View comments by with a score of at least

"Now anyone that doesn't have a legit copy of Windows was unable to patch"

Can you imagine Microsoft doing THAT ?

It's like not mailing your vehicle insurance card to someone who stole your car !

The Computer Rodent

Score: 0

|

You know what, the worm only works on Windows 2000 systems. It says so here: http://www.microsoft.com...ity/incident/zotob.mspx

So don't judge and do the normal "I hate Microsoft" crap you people do.

BTW, you shouldnt hav a pirated version of windows anyways.

Score: 0

|

That's only for variant A. Variants B & C infect XP systems also. Previous versions of Windows seem to be unaffected.

Score: 0

|

A majority of MS exploits are discovered by Security Researchers, most of them notify MS of the exploit and do not publish until MS releases the patch(s).

The reason a worm was created on this one, is due to the wonderful Windows Genuine Advantage. Now anyone that doesn't have a legit copy of Windows was unable to patch, even those people that didn't want to install that program. It's almost like this worm helps MS. Windows Genuine Advantage force released, few days later Windows patches for numerous exploits, few days later worm is released. Only people worried are the pirates! haha.

Yes, they say as long as you have Windows set to Automatically Update on its own, you'll have no problem. However, when I tested that process, I was still with no updates.

So, lesson to all here:

MS: Learn to test your software, QA, maybe you'll catch some of these exploits..considering you have the source code.

Users: If you don't have a legit copy of Windows, time to go buy one, Battlefield 2 will have to wait.

If we all work together, we can accomplish....nothing in this case, but it sounded nice!

::Start By mjm01010101 ::

posted Aug 15, 2005 - 3:15 PM

People don't read much anymore. Whether or not you have a legit copy of windows, you'll get the patches if you have automatic updates turned on. this is, has, and always will be Microsoft's policy for Windows XP.

:: End ::

::my response:: Mcfly, did you not read my entire post? lol. People don't read do they. I set mine to automatic updates tuesdays @ 4pm. Now when I got home, no updates have been applied, so I switched to 1am everyday, wednesday morning, no updates applied...By this time that exploit was released. So given the policy, is there a time delay on how long it takes to release thru automatic updates? Also, I recall they had an issue this time around... My advise to you, read a little more. So by saturday morning, your too late.

Score: 0

|

People don't read much anymore. Whether or not you have a legit copy of windows, you'll get the patches if you have automatic updates turned on. this is, has, and always will be Microsoft's policy for Windows XP.

Score: 0

|

Any copy of Windows will still be able to get critical updates. WGA only applies to special bonus software it has nothing to do with critical updates. Find out more about WGA before you blame it.

My home computer got the critical updates 2 days after my work computer. I doubt that they send out critical updates to 100's of millions of computers simultaneously.

Score: 0

|

WGA applies to all/any downloads from the "Windows Update" web site and Microsoft's download section. I have personal experience where I needed to 'validate' on both sections. Not sure about the "automatic updates."

Score: 0

|

critical updates go through no matter what. MS learned their lesson from lovsan. They're almost force-feeding all of their critical updates now.

Score: 0

|

Sadley my network has not patched since last tuesday. I warned our head network admin...of course my division of pc's are patched.

Score: 0

|

=(((

Oh man. That's a bummer.

Score: 0

|

Provided you don't have pnp exposed to the internet, you should be ok until the patches can be applied. The only really serious risk with that would be someone bringing it in on a laptop.

Score: 0

|

With WSUS I didn't need to do a thing. I was out on vacation all last week and when I came back on Friday only servers needed confirmation of updating. By Saturday morning we were 100% patched, probably 10 minutes worth of effort.

Score: 0

|

ewww... that sounds a lot like the lovsan virus. Hopefully people have learned their lessons and have patched their systems.

Score: 0

|

They never do. Not the vast majority anyway.

Score: 0

|

Google Chrome 4: Yes, it's fast, but is it usable?

As Betanews readers have responded to our stories about Chrome's JavaScript superiority...Does that mean we'd actually use this browser? Well...

Video: Netflix on PlayStation 3

Netflix has come to the PlayStation 3 via Blu-ray and BD-Live.

Verizon Wireless launches new Android, Chocolate, and ruggedized phones

The lower-priced Eris joins the Droid, while the Chocolate gets a touchscreen and more music playback.

Early sales figures for Windows 7 nicely high, but do we know why?

Fans of triple-digit surges in figures quoted by Betanews will love this one, as it appears Microsoft rediscovered how to pull off a software launch.

Myka announces its latest Linux-based 'net top box'

Myka's ION brings Boxee, XMBC, and much more to HDTVs.

What hath Mac wrought? A remembrance after a quarter-century

The reason there's a Macintosh today is not because of some brilliant flash of engineering genius, but because Apple had the audacity to learn from its mistakes.

Early build of Moblin 2.1 improves connectivity, but not device support

The Linux Foundation's Atom-centric OS yesterday received a major overhaul with the project release of Moblin 2.1 for netbooks and nettops.

The iPhone's China syndrome: Sales of 5,000 and climbing

There's actually a country where Apple's device is not a godsend, where sales can be measured in the dozens.

New European counterpart to FCC will ensure 'a more neutral net'

Late Thursday night, the ruling telecom administrators of the EU's member nations signed away their final authority to a new entity overseen by the EC.

Sophos study suggests Windows 7 UAC's default setting is self-defeating

Without any anti-virus installed, a Sophos test showed, User Account Control was only capable of thwarting just one malware package out of ten samples chosen.

Indiscreet tweet trips awareness of Web SSL vulnerability

A group of high-level security engineers had been making progress on thwarting a low-level threat to the Web, until somebody blurted it all out on Twitter.