Topic: Zotob worm targets Windows 2000

[Clive]

Munir Kotadia
ZDNet Australia
August 15, 2005, 08:55 BST
 
Antivirus firms have urged affected users to patch their systems immediately after a worm was discovered over the weekend that exploits a critical vulnerability in some Windows platforms.
  
The Zotob worm exploits a flaw which primarily affects the Windows 2000 platform but has an impact on Windows XP Service Pack I.

Microsoft released a patch on August 9. The Microsoft Technical Bulletin MS05-039 stated that a successful exploitation would allow the attacker to "take complete control of the affected system ... install programs; view, change, or delete data; or create new accounts with full user rights."

The worm does not affect Windows XP SP2 or Windows Server 2003 systems.

Mark Sinclair, technical services director at Trend Micro Australia, told ZDNet Australia that it was about to issue a yellow alert -- which means the worm is being reported in at least two [global] regions and there is a high potential for damage -- for Zotob after receiving infection alerts from customers.

"We are seeing some evidence of [infections] today -- I can't talk about which companies in particular but they are big enterprises. We are getting reports from those customers that they are getting infected by this particular worm," said Sinclair.

However, companies should not panic ... yet.

"It is not panic stations at this stage. But given that the vulnerability was only announced last week, it is a very quick turnaround for virus writers and it could get nasty," said Sinclair.

Allan Bell, marketing director for McAfee Asia-Pacific, said most large organisations could avoid the worm by making sure they block ports 445 and 139 on their firewall.

"These particular ports are used for file sharing and most corporates should have them blocked off. It is unusual for a corporate to have those open because you don't normally want somebody remotely accessing your systems," said Bell.

Antivirus firms are particularly worried because of the number of Windows 2000 systems that are still in use. According to a recent study published by asset management specialist Assetmetrix, Windows 2000 is still installed in more than 50 percent of computers used by large corporations worldwide.

Graham Cluley, senior technology consultant at Sophos said in a statement yesterday: "There will be many Windows computers that will not have been patched yet and may be vulnerable to infection and compromise. Everyone should act swiftly to ensure their PCs are properly protected with antivirus software, firewall software and up-to-date security patches."

Click here to download the patch.  
HERE

[Clive]

Zotob worm makes little progress
Joris Evers
CNET News.com
August 16, 2005, 09:20 BST
 
A new worm that was unleashed over the weekend affects only a limited group of Windows users and has not wreaked any widespread havoc, according to Trend Micro.

As of Monday morning on the West Coast of the US, the original Zotob.A had infected about 50 computers worldwide, and the first variant, Zotob.B, had compromised about 1,000 systems, the antivirus software maker said.

[Clive]

Microsoft offers Zotob removal tool
Published: August 17, 2005, 6:40 PM PDT
By Joris Evers
Staff Writer, CNET News.com

Microsoft has made available a free software tool to help victims of the worms that hit Windows computers in the past days clean their systems.

The Zotob worm started spreading on Sunday. Since then, the worm, its variants, and other worms that take advantage of the same security flaw have hit Windows computers, especially those running Windows 2000. Systems at ABC, CNN and The New York Times were among those infected.

The cleaning program, released Wednesday, is an updated version of Microsoft's Windows Malicious Software Removal Tool, said Debby Fry Wilson, a director at the company's Security Response Center.

"The number of customers infected is relatively small. However, if they are impacted, the pain is certainly real."
--Debby Fry Wilson, director, Microsoft Security Response Center"You click on it and it will tell you if you are infected," she said. "And if you are, it will clean the worm off your PC."

Microsoft typically releases a new version of this tool every month with its security patches. The tool can be run online through Microsoft's Web site or downloaded from the Microsoft Download Center.

The updated cleaning program checks for and removes infections from Zotob.A through Zotob.E, as well as from Bobax.O, Esbot.A, Rbot.MA, Rbot.MB and Rbot.MC, according to Microsoft. The list represents all known variants based on Microsoft's investigation, the company said.

"We will continue to investigate reports of future variants and update the tool as necessary based on customer needs," a Microsoft representative said.

Microsoft continues to rate the onslaught of worms as "low to moderate," Fry Wilson said.

New worms attack vulnerable Windows 2000 and Windows XP SP1 machines."The number of customers infected is relatively small," she said. "However, if they are impacted, the pain is certainly real. There is a handful of customers that we have been working with."

The first worm was Zotob, which appeared Sunday and seemed to fade the next day. However, several Zotob offshoots and a new worm were subsequently unleashed. New versions of pre-existing threats also began wriggling their way into computers. All exploit a security hole in the plug-and-play feature in Windows. Some experts believe cybercriminals are engaged in a war to infect as many computers as they can.

Microsoft offered a fix for the Windows plug-and-play bug exploited by the worms in its monthly patching cycle last week, labeling the issue "critical"--its most serious rating. The first Zotob variant appeared in record time after Microsoft's patch release, giving Windows users little time to fix their systems.

The security issue affects Windows XP and Windows Server 2003, but only PCs running Windows 2000 are susceptible to a remote attack, Microsoft has said.

The worms can infect unpatched Windows 2000 systems that aren't protected by a firewall without any user interaction. The worms typically install a shell program on the computer to download the actual worm code using FTP, or File Transfer Protocol. The newly infected system then starts searching for new computers to compromise.

Additionally, most of the worms install "bot" code that lets an attacker remotely control the infected system. Criminals have typically organized these hijacked systems in networks called "botnets" that are rented out to relay spam, launch extortion scams and engage in other online crimes.

ALL LINKS