Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

'Zotob' Worm Makes Windows Rounds

By Nate Mook, BetaNews

August 15, 2005, 12:22 PM

A new worm has been detected spreading on unpatched Windows systems faster than previous worms, but reported infections have remained low for the moment. Dubbed "Zotob" by antivirus vendor Trend Micro, the worm takes advantage of a critical security hole in Windows that was patched last week.

On Friday, Microsoft acknowledged that exploit code had surfaced for at least two of the three vulnerabilities recently announced. The company said it was "disappointed that certain security researchers have breached the commonly accepted industry practice of withholding vulnerability data so close to update release and have published exploit code."

Zotob works by copying itself into the Windows System folder as either BOTZOR.EXE or CSM.EXE, and modifies a user's "hosts" file to prevent access to antivirus Web sites. The worm initiates an FTP server on port 3333 and scans IP addresses using port 445 for other vulnerable systems.

"Hundreds of infection reports were sighted in the United States and Germany," Trend Micro officials said in a statement.

Aside from propagating itself, however, Zotob also has built in backdoor capabilities. The worm connects to an Internet Relay Chat channel and awaits remote instructions from a malicious user. Due to such actions, Trend Micro has rated Zotob's damage potential as "high."

Trend recommends that Windows users ensure they have installed the latest patches from Microsoft and run an up-to-date antivirus utility.

Add a Comment (14 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By PC Rat

edited Aug 17, 2005 - 8:08 AM

"Now anyone that doesn't have a legit copy of Windows was unable to patch"

Can you imagine Microsoft doing THAT ?

It's like not mailing your vehicle insurance card to someone who stole your car !

The Computer Rodent

Score: 0

By z2bass

edited Aug 15, 2005 - 6:23 PM

You know what, the worm only works on Windows 2000 systems. It says so here: http://www.microsoft.com...ity/incident/zotob.mspx

So don't judge and do the normal "I hate Microsoft" crap you people do.

BTW, you shouldnt hav a pirated version of windows anyways.

Score: 0

By Tenoq

posted Aug 15, 2005 - 10:13 PM

That's only for variant A. Variants B & C infect XP systems also. Previous versions of Windows seem to be unaffected.

Score: 0

By jordenpro

edited Aug 15, 2005 - 3:28 PM

A majority of MS exploits are discovered by Security Researchers, most of them notify MS of the exploit and do not publish until MS releases the patch(s).

The reason a worm was created on this one, is due to the wonderful Windows Genuine Advantage. Now anyone that doesn't have a legit copy of Windows was unable to patch, even those people that didn't want to install that program. It's almost like this worm helps MS. Windows Genuine Advantage force released, few days later Windows patches for numerous exploits, few days later worm is released. Only people worried are the pirates! haha.

Yes, they say as long as you have Windows set to Automatically Update on its own, you'll have no problem. However, when I tested that process, I was still with no updates.

So, lesson to all here:

MS: Learn to test your software, QA, maybe you'll catch some of these exploits..considering you have the source code.

Users: If you don't have a legit copy of Windows, time to go buy one, Battlefield 2 will have to wait.

If we all work together, we can accomplish....nothing in this case, but it sounded nice!

::Start By mjm01010101 ::

posted Aug 15, 2005 - 3:15 PM

People don't read much anymore. Whether or not you have a legit copy of windows, you'll get the patches if you have automatic updates turned on. this is, has, and always will be Microsoft's policy for Windows XP.

:: End ::

::my response:: Mcfly, did you not read my entire post? lol. People don't read do they. I set mine to automatic updates tuesdays @ 4pm. Now when I got home, no updates have been applied, so I switched to 1am everyday, wednesday morning, no updates applied...By this time that exploit was released. So given the policy, is there a time delay on how long it takes to release thru automatic updates? Also, I recall they had an issue this time around... My advise to you, read a little more. So by saturday morning, your too late.

Score: 0

By THZGryphon

posted Aug 15, 2005 - 5:56 PM

Any copy of Windows will still be able to get critical updates. WGA only applies to special bonus software it has nothing to do with critical updates. Find out more about WGA before you blame it.

My home computer got the critical updates 2 days after my work computer. I doubt that they send out critical updates to 100's of millions of computers simultaneously.

Score: 0

By yleclerc

posted Aug 15, 2005 - 6:48 PM

WGA applies to all/any downloads from the "Windows Update" web site and Microsoft's download section. I have personal experience where I needed to 'validate' on both sections. Not sure about the "automatic updates."

Score: 0

By wincement

posted Aug 16, 2005 - 12:46 AM

critical updates go through no matter what. MS learned their lesson from lovsan. They're almost force-feeding all of their critical updates now.

Score: 0

By mjm01010101

posted Aug 15, 2005 - 3:15 PM

People don't read much anymore. Whether or not you have a legit copy of windows, you'll get the patches if you have automatic updates turned on. this is, has, and always will be Microsoft's policy for Windows XP.

Score: 0

By bourgeoisdude

posted Aug 15, 2005 - 12:50 PM

Sadley my network has not patched since last tuesday. I warned our head network admin...of course my division of pc's are patched.

Score: 0

By mjm01010101

posted Aug 15, 2005 - 3:13 PM

With WSUS I didn't need to do a thing. I was out on vacation all last week and when I came back on Friday only servers needed confirmation of updating. By Saturday morning we were 100% patched, probably 10 minutes worth of effort.

Score: 0

By fewt

posted Aug 15, 2005 - 1:36 PM

Provided you don't have pnp exposed to the internet, you should be ok until the patches can be applied. The only really serious risk with that would be someone bringing it in on a laptop.

Score: 0

By wincement

posted Aug 15, 2005 - 12:53 PM

=(((

Oh man. That's a bummer.

Score: 0

By wincement

edited Aug 15, 2005 - 12:36 PM

ewww... that sounds a lot like the lovsan virus. Hopefully people have learned their lessons and have patched their systems.

Score: 0

By M0f0

posted Aug 15, 2005 - 2:07 PM

They never do. Not the vast majority anyway.

Score: 0

Nov 21 - 6:51 PM ET Coalition urges better laws for e-mail and cell phone privacy

Nov 21 - 6:42 PM ET How is Internet advertising faring in this bad economy?

Nov 21 - 6:15 PM ET From out of the Amazon Cloud, an AWS winner emerges

Nov 21 - 5:20 PM ET Mufin music finder enters public beta, adds widgets

Nov 21 - 5:01 PM ET Google launches its SearchWiki semantics plug-in

Nov 21 - 4:57 PM ET Asus previews a slimmer, less costly Eee PC

Nov 21 - 4:32 PM ET New Adobe Media Player ushers in AIR 1.5

Nov 21 - 2:11 PM ET AT&T to add Pantech's low-cost C630 phone to 3G lineup

Nov 21 - 1:11 PM ET iPhone gets firmware 2.2 update

Nov 21 - 11:51 AM ET The Dell surprise: Higher earnings on lower revenue