Zotob Worm That Exploits Plug and Play Hole Spreading Slowly

A Microsoft official said Monday that a dangerous new worm dubbed Zotob is spreading slowly, but Microsoft is on high alert and the company recommends that customers apply a patch for the Windows Plug and Play vulnerability the worm exploits.

"Our investigation has determined that only a small number of customers have been affected and we're working directly with them," wrote Stephen Toulouse in an entry in the Microsoft Security Response Center blog. "We have seen no indication of widespread impact to the Internet … We will remain watchful for any variants or any further customer impact."

Zotob, also known as Worm:Win32/Zotob.A, and several variants emerged over the weekend. The worm followed a common pattern: Microsoft released a patch for a previously undisclosed vulnerability on Tuesday. By Thursday, security researchers had posted exploit code for the flaw -- a precursor to many worms. Over the weekend, the first worm appeared and new variants popped up on Monday and Tuesday.

In this specific case, the flaw involves Windows Plug and Play, and Microsoft patched the flaw on Tuesday in MS05-039. Microsoft rated the flaw critical for Windows 2000 and important for Windows XP and Windows Server 2003. The flaw can be used for remote code execution and local elevation of privilege. Researchers with Trend Micro say the flaw also affects Windows NT, although Microsoft did not publicly provide a patch for Windows NT since that operating system is no longer supported.

According to Microsoft, customers who have installed the MS05-039 security update are not at risk. The exploit code does not target Windows XP or Windows Server 2003, according to Microsoft's security advisory on the issue.

In its Zotob.A variant, the self-executing worm creates a file called botzor.exe in the Windows System directory and creates Registry run keys to load itself at startup, according to anti-virus vendor McAfee Inc. It appends the hosts file to block access to anti-virus sites. Significantly, the worm contains bot functionality -- it attempts to connect to the Internet Relay Chat (IRC) server on TCP port 8080 and joins a specified channel to wait for instructions from a malicious attacker.

To spread itself, the worm creates 16 threads to scan for unpatched systems on TCP port 445. When it finds an unpatched system, the worm sends a buffer overflow and shellcode to compromise the vulnerable system.

Microsoft Security Bulletin MS05-039 is available here.

The Microsoft Security Advisory about the Zotob worm is available here.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • RAMBleed Side-Channel Attack Method Disclosed by Researchers

    Academic researchers this week published information about another side-channel attack method, called "RAMBleed," that can expose information from memory chips, including encryption key information.

  • Penguin

    Windows 10 Preview Build 18917 Shows Off New Linux Integration

    Microsoft's latest Windows 10 "fast-ring" preview release is showcasing a coming Delivery Optimization enhancement, along with the ability to try the newly emerged Windows Subsystem for Linux version 2.

  • Customizing Microsoft Office 365

    While the overall look and feel of Office 365 is pretty standard across organizations, there are several ways to personalize it and make it fit better with your company's specific needs.

  • Microsoft 365 Business Tenants Getting Conditional Access and Trouble-Ticket Features

    Microsoft added its conditional access security service to Microsoft 365 Business subscriptions, according to a Wednesday announcement, and it also added new trouble-ticket features for Microsoft 365 administrators.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.