News

Zotob Worm That Exploits Plug and Play Hole Spreading Slowly

A Microsoft official said Monday that a dangerous new worm dubbed Zotob is spreading slowly, but Microsoft is on high alert and the company recommends that customers apply a patch for the Windows Plug and Play vulnerability the worm exploits.

"Our investigation has determined that only a small number of customers have been affected and we're working directly with them," wrote Stephen Toulouse in an entry in the Microsoft Security Response Center blog. "We have seen no indication of widespread impact to the Internet … We will remain watchful for any variants or any further customer impact."

Zotob, also known as Worm:Win32/Zotob.A, and several variants emerged over the weekend. The worm followed a common pattern: Microsoft released a patch for a previously undisclosed vulnerability on Tuesday. By Thursday, security researchers had posted exploit code for the flaw -- a precursor to many worms. Over the weekend, the first worm appeared and new variants popped up on Monday and Tuesday.

In this specific case, the flaw involves Windows Plug and Play, and Microsoft patched the flaw on Tuesday in MS05-039. Microsoft rated the flaw critical for Windows 2000 and important for Windows XP and Windows Server 2003. The flaw can be used for remote code execution and local elevation of privilege. Researchers with Trend Micro say the flaw also affects Windows NT, although Microsoft did not publicly provide a patch for Windows NT since that operating system is no longer supported.

According to Microsoft, customers who have installed the MS05-039 security update are not at risk. The exploit code does not target Windows XP or Windows Server 2003, according to Microsoft's security advisory on the issue.

In its Zotob.A variant, the self-executing worm creates a file called botzor.exe in the Windows System directory and creates Registry run keys to load itself at startup, according to anti-virus vendor McAfee Inc. It appends the hosts file to block access to anti-virus sites. Significantly, the worm contains bot functionality -- it attempts to connect to the Internet Relay Chat (IRC) server diabl0.turkcoders.net on TCP port 8080 and joins a specified channel to wait for instructions from a malicious attacker.

To spread itself, the worm creates 16 threads to scan for unpatched systems on TCP port 445. When it finds an unpatched system, the worm sends a buffer overflow and shellcode to compromise the vulnerable system.

Microsoft Security Bulletin MS05-039 is available here.

The Microsoft Security Advisory about the Zotob worm is available here.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Report: Cost, Sustainability Drive DaaS Adoption Beyond Remote Work

    Gartner's 2025 Magic Quadrant for Desktop as a Service reveals that while secure remote access remains a key driver of DaaS adoption, a growing number of deployments now focus on broader efficiency goals.

  • Windows 365 Reserve, Microsoft's Cloud PC Rental Service, Hits Preview

    Microsoft has launched a limited public preview of its new "Windows 365 Reserve" service, which lets organizations rent cloud PC instances in the event their Windows devices are stolen, lost or damaged.

  • Hands-On AI Skills Now Outshine Certs in Salary Stakes

    For AI-related roles, employers are prioritizing verifiable, hands-on abilities over framed certificates -- and they're paying a premium for it.

  • Roadblocks in Enterprise AI: Data and Skills Shortfalls Could Cost Millions

    Businesses risk losing up to $87 million a year if they fail to catch up with AI innovation, according to the Couchbase FY 2026 CIO AI Survey released this month.