News

Zotob Worm That Exploits Plug and Play Hole Spreading Slowly

A Microsoft official said Monday that a dangerous new worm dubbed Zotob is spreading slowly, but Microsoft is on high alert and the company recommends that customers apply a patch for the Windows Plug and Play vulnerability the worm exploits.

"Our investigation has determined that only a small number of customers have been affected and we're working directly with them," wrote Stephen Toulouse in an entry in the Microsoft Security Response Center blog. "We have seen no indication of widespread impact to the Internet … We will remain watchful for any variants or any further customer impact."

Zotob, also known as Worm:Win32/Zotob.A, and several variants emerged over the weekend. The worm followed a common pattern: Microsoft released a patch for a previously undisclosed vulnerability on Tuesday. By Thursday, security researchers had posted exploit code for the flaw -- a precursor to many worms. Over the weekend, the first worm appeared and new variants popped up on Monday and Tuesday.

In this specific case, the flaw involves Windows Plug and Play, and Microsoft patched the flaw on Tuesday in MS05-039. Microsoft rated the flaw critical for Windows 2000 and important for Windows XP and Windows Server 2003. The flaw can be used for remote code execution and local elevation of privilege. Researchers with Trend Micro say the flaw also affects Windows NT, although Microsoft did not publicly provide a patch for Windows NT since that operating system is no longer supported.

According to Microsoft, customers who have installed the MS05-039 security update are not at risk. The exploit code does not target Windows XP or Windows Server 2003, according to Microsoft's security advisory on the issue.

In its Zotob.A variant, the self-executing worm creates a file called botzor.exe in the Windows System directory and creates Registry run keys to load itself at startup, according to anti-virus vendor McAfee Inc. It appends the hosts file to block access to anti-virus sites. Significantly, the worm contains bot functionality -- it attempts to connect to the Internet Relay Chat (IRC) server diabl0.turkcoders.net on TCP port 8080 and joins a specified channel to wait for instructions from a malicious attacker.

To spread itself, the worm creates 16 threads to scan for unpatched systems on TCP port 445. When it finds an unpatched system, the worm sends a buffer overflow and shellcode to compromise the vulnerable system.

Microsoft Security Bulletin MS05-039 is available here.

The Microsoft Security Advisory about the Zotob worm is available here.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Offers Support Extensions for Exchange 2016 and 2019

    Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Notebook

    Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

    Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

  • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

    As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.