Microsoft offers Zotob removal tool

Microsoft has made available a free software tool to help victims of the worms that hit Windows computers in the past days clean their systems.

The Zotob worm started spreading on Sunday. Since then, the worm, its variants, and other worms that take advantage of the same security flaw have hit Windows computers, especially those running Windows 2000. Systems at ABC, CNN and The New York Times were among those infected.

The cleaning program, released Wednesday, is an updated version of Microsoft's Windows Malicious Software Removal Tool, said Debby Fry Wilson, a director at the company's Security Response Center.

"The number of customers infected is relatively small. However, if they are impacted, the pain is certainly real."

--Debby Fry Wilson, director, Microsoft Security Response Center

"You click on it and it will tell you if you are infected," she said. "And if you are, it will clean the worm off your PC."

Microsoft typically releases a new version of this tool every month with its security patches. The tool can be run online through Microsoft's Web site or downloaded from the Microsoft Download Center.

The updated cleaning program checks for and removes infections from Zotob.A through Zotob.E, as well as from Bobax.O, Esbot.A, Rbot.MA, Rbot.MB and Rbot.MC, according to Microsoft. The list represents all known variants based on Microsoft's investigation, the company said.

"We will continue to investigate reports of future variants and update the tool as necessary based on customer needs," a Microsoft representative said.

Microsoft continues to rate the onslaught of worms as "low to moderate," Fry Wilson said.

CNET security center
Zotob prevention and cure

New worms attack vulnerable Windows 2000 and Windows XP SP1 machines.

"The number of customers infected is relatively small," she said. "However, if they are impacted, the pain is certainly real. There is a handful of customers that we have been working with."

The first worm was Zotob, which appeared Sunday and seemed to fade the next day. However, several Zotob offshoots and a new worm were subsequently unleashed. New versions of pre-existing threats also began wriggling their way into computers. All exploit a security hole in the plug-and-play feature in Windows. Some experts believe cybercriminals are engaged in a war to infect as many computers as they can.

Microsoft offered a fix for the Windows plug-and-play bug exploited by the worms in its monthly patching cycle last week, labeling the issue "critical"--its most serious rating. The first Zotob variant appeared in record time after Microsoft's patch release, giving Windows users little time to fix their systems.

The security issue affects Windows XP and Windows Server 2003, but only PCs running Windows 2000 are susceptible to a remote attack, Microsoft has said.

The worms can infect unpatched Windows 2000 systems that aren't protected by a firewall without any user interaction. The worms typically install a shell program on the computer to download the actual worm code using FTP, or File Transfer Protocol. The newly infected system then starts searching for new computers to compromise.

Additionally, most of the worms install "bot" code that lets an attacker remotely control the infected system. Criminals have typically organized these hijacked systems in networks called "botnets" that are rented out to relay spam, launch extortion scams and engage in other online crimes.

Incomplete

I downloaded the application and it seems horribly incomplete. It does not remove the most pernicious malicious software on the system, such as ActiveX, Outlook, and Window Media Player. What do you suppose the odds are that they will fix those oversights?

A little late!

Well fashionably late as usual for Microsoft. At least for a removal tool. The actual patch was released 9 days before the worm hit. Still not enough time to give companies a chance to test it and approve it for SUS push.

But our company got hit with this worm, and I managed to write a script to push down via GPO to wipe this sucker out without any down time to the user.

Oh look, Microsoft finally decides to release a removal tool.