Jack M. Germain, newsfactor.com
Finish antivirus firm F-Secure found a new worm on Sunday that attacks the Windows Plug-N-Play vulnerability that Microsoft patched last Tuesday. The security firm's researchers said the worm, which they named ZoTob, poses the biggest risk to users running Windows 2000.
Industry researchers began seeing exploit code for the critical Microsoft vulnerability showing up on various hacking Web sites on Friday. According to F-Secure's Web site, Zotob began spreading as early 7:30 a.m. EST Sunday morning.
Mikko Hyppnen, director of antivirus research for F-Secure, wrote that the new worm is based on MyTob, a mass-mailing virus that opens a back door and lowers security settings on compromised machines.
Hyppnen noted that the ZoTob worm might be using exploit code published by a researcher known as "houseofdabus" four days ago. ZoTob is the first major self-propagating program since the Sasser worm -- which began spreading April 30, 2004 -- to target a Microsoft Windows vulnerability.
F-Secure researchers also announced their discovery of two variants of the ZoTob worm. Each one gives hackers access to unpatched computers and shares several similarities with the earlier MyTob worm.
Windows XP Users Safe
According to F-Secure researchers and other antivirus companies, ZoTob has no affect on computers running Windows XP Service Pack 2 or Windows Server 2003. Thus, the ZoTob worm should not spread as quickly as Sasser did.
According to researchers, Microsoft confirmed that ZoTob only infects Windows 2000 systems. Redmond said that any Windows XP system that applied the updated patches released last Tuesday would be safe.
Other antivirus researchers, however, say unpatched vulnerabilities in other Windows platforms -- Windows 95, 98 and ME -- could be at risk.
Attack Scenario
Antivirus firm Trend Micro (Nasdaq: TMIC - news) said the ZoTob worm places a copy of itself into the Windows system folder as botzor.exe modifies the system's host file in the infected computer, preventing the user from getting online assistance from antivirus Web sites.
According to the Internet Storm Center, which monitors network threats for the SANS Institute, the ZoTob worm compromises computers by sending data on TCP port 445. The worm uses the infected computer as a file transfer protocol (FTP) server in an effort to propagate itself.
F-Secure's Hyppnen said that researchers found a message hidden inside the virus code warning death to the first to discover the worm. That message said, "MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!"
Although ZoTob appears to be a failed attack, David Perry, Trend Micro's Director of Global Education, recommends that all users remain vigilant.
"ZoTob. A utilizes modular programming, which is considered a mainstream programming technique, and has been in wide use since MyDoom.A in January, 2004," said Perry. "ZoTob.A carries on in that tradition, utilizing a module of the MyTob family of worms, called 'HELLBOT.' Therefore, it is certainly possible that further variants will be forthcoming."
ZoTob/Botzor.exe is expected to be quite active searching out Windows 2000 systems during this week, August 15-20.
Copyright 2005 NewsFactor Network, Inc.
NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at
For more information go to: