News

Zotob Worm That Exploits Plug and Play Hole Spreading Slowly

• By Scott Bekker
• August 16, 2005

A Microsoft official said Monday that a dangerous new worm dubbed Zotob is spreading slowly, but Microsoft is on high alert and the company recommends that customers apply a patch for the Windows Plug and Play vulnerability the worm exploits.

"Our investigation has determined that only a small number of customers have been affected and we're working directly with them," wrote Stephen Toulouse in an entry in the Microsoft Security Response Center blog. "We have seen no indication of widespread impact to the Internet … We will remain watchful for any variants or any further customer impact."

Zotob, also known as Worm:Win32/Zotob.A, and several variants emerged over the weekend. The worm followed a common pattern: Microsoft released a patch for a previously undisclosed vulnerability on Tuesday. By Thursday, security researchers had posted exploit code for the flaw -- a precursor to many worms. Over the weekend, the first worm appeared and new variants popped up on Monday and Tuesday.

In this specific case, the flaw involves Windows Plug and Play, and Microsoft patched the flaw on Tuesday in MS05-039. Microsoft rated the flaw critical for Windows 2000 and important for Windows XP and Windows Server 2003. The flaw can be used for remote code execution and local elevation of privilege. Researchers with Trend Micro say the flaw also affects Windows NT, although Microsoft did not publicly provide a patch for Windows NT since that operating system is no longer supported.

According to Microsoft, customers who have installed the MS05-039 security update are not at risk. The exploit code does not target Windows XP or Windows Server 2003, according to Microsoft's security advisory on the issue.

In its Zotob.A variant, the self-executing worm creates a file called botzor.exe in the Windows System directory and creates Registry run keys to load itself at startup, according to anti-virus vendor McAfee Inc. It appends the hosts file to block access to anti-virus sites. Significantly, the worm contains bot functionality -- it attempts to connect to the Internet Relay Chat (IRC) server diabl0.turkcoders.net on TCP port 8080 and joins a specified channel to wait for instructions from a malicious attacker.

To spread itself, the worm creates 16 threads to scan for unpatched systems on TCP port 445. When it finds an unpatched system, the worm sends a buffer overflow and shellcode to compromise the vulnerable system.

Microsoft Security Bulletin MS05-039 is available here.

The Microsoft Security Advisory about the Zotob worm is available here.