Worms Hit High-Profile Targets

CNN, The New York Times, the U.S. Congress and the Caterpillar Co. are among major organizations reporting system downtime from worms stemming from the Plug and Play vulnerability in Windows 2000.

Other sites reported to have suffered serious problems included ABC and an administrative office at San Francisco International Airport.

A state of general alarm has existed in security circles since last Thursday, when exploit code first appeared for the Windows Plug and Play vulnerability that Microsoft released a patch for two days earlier. While that patch, MS05-039, also applied to Windows XP and Windows Server 2003, it was only considered critical for Windows 2000. The first worm based on the flaw, called Zotob, appeared on Sunday.

The worst round of outages began Tuesday evening and coincided with the appearance of two new variants of the worm, dubbed Zotab.D and IRCBot.KB. According to security researchers at Panda Software, the Zotab.D variant was prone to cause system crashes because of a behavior that attempted to uninstall adware, causing a cycle of system reboots.

Behavior common to the Zotob family of worms is scanning TCP port 445 for vulnerable systems, installing themselves on unpatched systems and opening backdoors to listen for commands from attackers.

Because Windows 2000 is primarily a corporate product, the issue has not had a major impact on consumers.

Microsoft continued to assess the worm as a low threat. In a statement released Wednesday, the company said, "Zotob has thus far had a low rate of infection. Zotob only targets Windows 2000. Customers running other versions such as Windows XP, or customers who have applied the MS05-039 update to Windows 2000 are not impacted by this attack."

"All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation," the company said.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • RAMBleed Side-Channel Attack Method Disclosed by Researchers

    Academic researchers this week published information about another side-channel attack method, called "RAMBleed," that can expose information from memory chips, including encryption key information.

  • Penguin

    Windows 10 Preview Build 18917 Shows Off New Linux Integration

    Microsoft's latest Windows 10 "fast-ring" preview release is showcasing a coming Delivery Optimization enhancement, along with the ability to try the newly emerged Windows Subsystem for Linux version 2.

  • Customizing Microsoft Office 365

    While the overall look and feel of Office 365 is pretty standard across organizations, there are several ways to personalize it and make it fit better with your company's specific needs.

  • Microsoft 365 Business Tenants Getting Conditional Access and Trouble-Ticket Features

    Microsoft added its conditional access security service to Microsoft 365 Business subscriptions, according to a Wednesday announcement, and it also added new trouble-ticket features for Microsoft 365 administrators.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.