Zotob worm finds its path limited

A new worm that was unleashed over the weekend affects only a limited group of Windows users and has not wreaked any widespread havoc, according to Trend Micro.

As of Monday morning on the West Coast, the original Zotob.A had infected about 50 computers worldwide, and the first variant, Zotob.B, had compromised about 1,000 systems, the antivirus software maker said.

"There are not that many infections," said David Perry, director of global education at Trend Micro.

The worm, which has spawned at least two variants, exploits a hole in the plug-and-play feature in the Windows operating system. It surfaced only days after Microsoft offered a fix for the "critical" bug as part of its monthly patching cycle.

While early reports on Zotob suggested it was spreading rapidly, the impact of the worm has actually been restricted because it targets PCs running Windows 2000, an older version of the software, Microsoft said. It poses no threat to computers running the newer Windows XP and Windows Server 2003, the company added.

"Only a small number of customers have actually been affected," said Stephen Toulouse, a program manager in Microsoft's security group. "It is not something that has any type of widespread impact on the Internet...It hits Windows 2000 customers very specifically."

Zotob appeared in record time after Microsoft's patch release, according to Trend Micro. "This is the fastest turnaround from the announcement of the vulnerability to an actual virus," Perry said.

Last Tuesday, Microsoft issued patches to fix the plug-and-play vulnerability in various versions of Windows. The bulletins included fixes for the newer Windows XP and Windows Server 2003, even though the software maker already said at the time that only PCs running Windows 2000 were susceptible to a remote attack via the vulnerability.

There are desktop and server versions of Windows 2000, which was released in 2000 for business users rather than consumers. More recent editions of Windows are available, but Windows 2000 remains popular. The operating system ran on 48 percent of business PCs during the first quarter of 2005, according to a recent study by AssetMetrix.

Users of Windows 2000 should be on guard, especially if they are not using a firewall, said Mikko Hypponen, director of antivirus research at software maker F-Secure. Zotob.A and Zotob.B scan the Internet for vulnerable systems using TCP port 445, a port typically blocked by a firewall, he said.

When a target system is found by Zotob, it installs a shell program on the computer that downloads the actual worm code, named Haha.exe, using FTP (File Transfer Protocol). The newly infected system then starts searching for new computers to compromise.

A second offshoot, Zotob.C, adds a mass-mailing capability, which means it can also spread by e-mail.

The worm itself doesn't have a destructive payload, but the first two versions do let the attacker commandeer the infected machine. "It leaves an open back door. It could download anything," Perry said.

[Mendz]

Funny...

This article is like an ad to upgrade to WinXP and Win2K3. Almost...

[Mendz]

Funny...

This article is like an ad to upgrade to WinXP and Win2K3. Almost...

[open-mind]

Baloney

This morning, it affected several thousand PC's where I work. Each
PC was out of commission for 5+ hours.

[202578300049013666264380294439]

Fire your network administrator then

He's a fool for leaving port 445 open through your Firewall.

[open-mind]

Baloney

This morning, it affected several thousand PC's where I work. Each
PC was out of commission for 5+ hours.

[202578300049013666264380294439]

Fire your network administrator then

He's a fool for leaving port 445 open through your Firewall.

[Gino Deblauwe]

Strangest thing

Most people who still use W2k are working in a
company (maybe because W2k is more stable and
faster then WXP, but unfortunately because W2k
is not available for sale anymore and because
people think that latest versions are best
=> not with mickeysoft it is)

Windows (not only W2k) has a general name of
security holes, bugs and other gossip

+ _______________________________________________
Why not use a firewall which blocks the damned
port, it's a total unnecessary port on the
internet

[202578300049013666264380294439]

Huh?

XP is more stable than W2K, only those who don't know how to configure systems properly have trouble upgrading.

[George Cole]

security holes, bugs

<a class="jive-link-external" href="http://www.analogstereo.com/citroen_c5_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/citroen_c5_owners_manual.htm</a>

[Gino Deblauwe]

Strangest thing

Most people who still use W2k are working in a
company (maybe because W2k is more stable and
faster then WXP, but unfortunately because W2k
is not available for sale anymore and because
people think that latest versions are best
=&gt; not with mickeysoft it is)

Windows (not only W2k) has a general name of
security holes, bugs and other gossip

+ _______________________________________________
Why not use a firewall which blocks the damned
port, it's a total unnecessary port on the
internet

[202578300049013666264380294439]

Huh?

XP is more stable than W2K, only those who don't know how to configure systems properly have trouble upgrading.

[George Cole]

security holes, bugs

<a class="jive-link-external" href="http://www.analogstereo.com/citroen_c5_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/citroen_c5_owners_manual.htm</a>

[Scott W]

no patch

this means that MS won't be releasing a patch for this then, seeing as it hasn't affected winXP. i wonder how long it will take someone to modify it and infect all those unprotected XP PCs.

[catchall]

Please at least read the article

&gt;&gt; It surfaced only days after Microsoft offered a fix for the "critical" bug as part of its monthly patching cycle.

The fix is out. It is already patched. Over, done with, in the past.

[Scott W]

no patch

this means that MS won't be releasing a patch for this then, seeing as it hasn't affected winXP. i wonder how long it will take someone to modify it and infect all those unprotected XP PCs.

[catchall]

Please at least read the article

&gt;&gt; It surfaced only days after Microsoft offered a fix for the "critical" bug as part of its monthly patching cycle.

The fix is out. It is already patched. Over, done with, in the past.

[Sam Papelbon]

to all bug-writers out there

why not do everyone a favor and write a 'bug' that exploits security holes in windows to spread to every vulnerable computer, and every 10 minutes it pops up a message that says 'please go to windowsupdate.com you lazy bastard'

[202578300049013666264380294439]

Because the enduser may not be the problem

After all, how long has SP2 been available for XP? Yet I know of a large company that still hasn't installed it because their admin staff hasn't qualified it to run on their network!

Silly? Definitely, but not the fault of the end-user who'd have to put up with that annoying display. Besides, anyone who wrote a virus like that would be more likely to advise the end-user to load Linux :).

[Sam Papelbon]

to all bug-writers out there

why not do everyone a favor and write a 'bug' that exploits security holes in windows to spread to every vulnerable computer, and every 10 minutes it pops up a message that says 'please go to windowsupdate.com you lazy bastard'

[202578300049013666264380294439]

Because the enduser may not be the problem

After all, how long has SP2 been available for XP? Yet I know of a large company that still hasn't installed it because their admin staff hasn't qualified it to run on their network!

Silly? Definitely, but not the fault of the end-user who'd have to put up with that annoying display. Besides, anyone who wrote a virus like that would be more likely to advise the end-user to load Linux :).