[ISN] Zotob worm finds its path limited

From: InfoSec News (isn@private)
Date: Mon Aug 15 2005 - 23:20:09 PDT


http://news.com.com/Zotob+worm+finds+its+path+limited/2100-7349_3-5833777.html

By Joris Evers 
Staff Writer, CNET News.com
August 15, 2005

A new worm that was unleashed over the weekend affects only a limited
group of Windows users and has not wreaked any widespread havoc,
according to Trend Micro.

As of Monday morning on the West Coast, the original Zotob.A had
infected about 50 computers worldwide, and the first variant, Zotob.B,
had compromised about 1,000 systems, the antivirus software maker
said.

"There are not that many infections," said David Perry, director of
global education at Trend Micro.

The worm, which has spawned at least two variants, exploits a hole in
the plug-and-play feature in the Windows operating system. It surfaced
only days after Microsoft offered a fix for the "critical" bug as part
of its monthly patching cycle.

While early reports on Zotob suggested it was spreading rapidly, the
impact of the worm has actually been restricted because it targets PCs
running Windows 2000, an older version of the software, Microsoft
said. It poses no threat to computers running the newer Windows XP and
Windows Server 2003, the company added.

"Only a small number of customers have actually been affected," said
Stephen Toulouse, a program manager in Microsoft's security group. "It
is not something that has any type of widespread impact on the
Internet...It hits Windows 2000 customers very specifically."

Zotob appeared in record time after Microsoft's patch release,
according to Trend Micro. "This is the fastest turnaround from the
announcement of the vulnerability to an actual virus," Perry said.

Last Tuesday, Microsoft issued patches to fix the plug-and-play
vulnerability in various versions of Windows. The bulletins included
fixes for the newer Windows XP and Windows Server 2003, even though
the software maker already said at the time that only PCs running
Windows 2000 were susceptible to a remote attack via the
vulnerability.

There are desktop and server versions of Windows 2000, which was
released in 2000 for business users rather than consumers. More recent
editions of Windows are available, but Windows 2000 remains popular.  
The operating system ran on 48 percent of business PCs during the
first quarter of 2005, according to a recent study by AssetMetrix.
 
Previous Next Users of Windows 2000 should be on guard, especially if
they are not using a firewall, said Mikko Hypponen, director of
antivirus research at software maker F-Secure. Zotob.A and Zotob.B
scan the Internet for vulnerable systems using TCP port 445, a port
typically blocked by a firewall, he said.

When a target system is found by Zotob, it installs a shell program on
the computer that downloads the actual worm code, named Haha.exe,
using FTP (File Transfer Protocol). The newly infected system then
starts searching for new computers to compromise.

A second offshoot, Zotob.C, adds a mass-mailing capability, which
means it can also spread by e-mail.

The worm itself doesn't have a destructive payload, but the first two
versions do let the attacker commandeer the infected machine. "It
leaves an open back door. It could download anything," Perry said.


Copyright ©1995-2005 CNET Networks, Inc



_________________________________________
Attend ToorCon 
Sept 16-18th, 2005
Convention Center
San Diego, California
www.toorcon.org 



This archive was generated by hypermail 2.1.3 : Mon Aug 15 2005 - 23:44:01 PDT