- Related Stories
-
Watch out for worm wars
August 17, 2005 -
Windows worms knocking out computers
August 16, 2005 -
Zotob worm finds its path limited
August 15, 2005 -
Hacking for dollars
July 6, 2005
The Zotob worm started spreading on Sunday. Since then, the worm, its variants, and other worms that take advantage of the same security flaw have hit Windows computers, especially those running Windows 2000. Systems at ABC, CNN and The New York Times were among those infected.
The cleaning program, released Wednesday, is an updated version of Microsoft's Windows Malicious Software Removal Tool, said Debby Fry Wilson, a director at the company's Security Response Center.
"You click on it and it will tell you if you are infected," she said. "And if you are, it will clean the worm off your PC."
Microsoft typically releases a new version of this tool every month with its security patches. The tool can be run online through Microsoft's Web site or downloaded from the Microsoft Download Center.
The updated cleaning program checks for and removes infections from Zotob.A through Zotob.E, as well as from Bobax.O, Esbot.A, Rbot.MA, Rbot.MB and Rbot.MC, according to Microsoft. The list represents all known variants based on Microsoft's investigation, the company said.
"We will continue to investigate reports of future variants and update the tool as necessary based on customer needs," a Microsoft representative said.
Microsoft continues to rate the onslaught of worms as "low to moderate," Fry Wilson said.
Zotob prevention and cure
"The number of customers infected is relatively small," she said. "However, if they are impacted, the pain is certainly real. There is a handful of customers that we have been working with."
The first worm was Zotob, which appeared Sunday and seemed to fade the next day. However, several Zotob offshoots and a new worm were subsequently unleashed. New versions of pre-existing threats also began wriggling their way into computers. All exploit a security hole in the plug-and-play feature in Windows. Some experts believe cybercriminals are engaged in a war to infect as many computers as they can.
Microsoft offered a fix for the Windows plug-and-play bug exploited by the worms in its monthly patching cycle last week, labeling the issue "critical"--its most serious rating. The first Zotob variant appeared in record time after Microsoft's patch release, giving Windows users little time to fix their systems.
The security issue affects Windows XP and Windows Server 2003, but only PCs running Windows 2000 are susceptible to a remote attack, Microsoft has said.
The worms can infect unpatched Windows 2000 systems that aren't protected by a firewall without any user interaction. The worms typically install a shell program on the computer to download the actual worm code using FTP, or File Transfer Protocol. The newly infected system then starts searching for new computers to compromise.
Additionally, most of the worms install "bot" code that lets an attacker remotely control the infected system. Criminals have typically organized these hijacked systems in networks called "botnets" that are rented out to relay spam, launch extortion scams and engage in other online crimes.
See more CNET content tagged:
Zotob worm, Debby Fry Wilson, worm, variant, Microsoft Windows 2000
Microsoft's efforts to remove these packages, including IE, they
have found that indeed they cannot be removed without
crippling the OS.
"Customers have a choice. They can remove these components
manually and consequently become entirely immune from
network attacks, but the OS will not function. Or, they can leave
them enabled (recommended), but the OS will come under
severe network attack on a daily basis. We are confident
customers will make the right choice."
- A little late!
- by August 18, 2005 9:58 AM PDT
- Well fashionably late as usual for Microsoft. At least for a removal tool. The actual patch was released 9 days before the worm hit. Still not enough time to give companies a chance to test it and approve it for SUS push.
- Reply to this comment
-
-
- Let Me Ask Politely
- by cjohn17 August 20, 2005 7:37 AM PDT
- Honestly, doesn't this kind of MS foolishness wear you and your
-
-
(4 Comments)But our company got hit with this worm, and I managed to write a script to push down via GPO to wipe this sucker out without any down time to the user.
Oh look, Microsoft finally decides to release a removal tool.
company out? It certainly doesn't seem like they really care about
customer service or standards of quality.