Topic: Patch Time guys :ZOTOB worm

[Sirgod]

http://news.zdnet.com/2100-1009_22-5832849.html
A new Internet worm has been detected that can infect Microsoft's Windows platforms faster than previous computer worms, according to an antivirus software maker.

The Zotob worm appeared shortly after the world's largest software maker warned of three newly found "critical" security flaws in its software, including one that could allow attackers to take complete control of a computer.

The latest worm exploits security holes in Microsoft's Windows 95, 98, ME, NE, 2000 and XP platforms and can give computer attackers remote access to affected systems, said Trend Micro.

"Hundreds of infection reports were sighted in the United States and Germany," Tokyo-based Trend Micro said in a statement released late last week.

"Since most users may not be aware of this newly announced security hole so as to install the necessary patch during last weekend, we can foresee more infections from worm Zotob," it said.

The latest virus drops a copy of itself into the Windows system folder as BOTZOR.EXE and modifies the system's host file in the infected user's computer to prevent the user getting online assistance from antivirus web sites, Trend Micro added.

It can also connect to a specific Internet relay chat server and give hackers remote control over affected systems, which can be used to infect other unpatched machines in a network and slow down the network performance.

Last Tuesday, Microsoft issued patches to fix its security flaws as part of its monthly security bulletin. The problems affect the Windows operating system and Microsoft's Internet Explorer Web browser.

Microsoft has warned that an attacker could exploit a vulnerability in its Internet Explorer Web browser and lure users to malicious Web pages, and could run software code on the user's PC, giving the attacker control of the affected computer.

Computer users should update their antivirus pattern files and apply the latest Microsoft patches to protect their computer systems, Trend Micro said.

More than 90 percent of the world's PCs run on the Windows operating system, and Microsoft has been working to improve the security and reliability of its software.

---------------------------------------

Stephen

[toasty0]

Not to misinform anyone but I believe there is not a patch out yet for this worm. So be careful all.

[Sirgod]

Yeah I just checked out the microsoft site, and I couldn't find anything. Since Trend Microvirus was mentioned I'll check It out next. right after I check out that Deepnet explorer. Just downloaded It.

Stephen

[Bonk]

Check here:

http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

Patch for XP: http://www.microsoft.com/downloads/details.aspx?FamilyId=9A3BFBDD-62EA-4DB2-88D2-415E095E207F  (others linked from the bulletin linked above)

I found it by going here:

http://www.sarc.com

http://www.sarc.com/avcenter/venc/data/w32.zotob.a.html
http://www.sarc.com/avcenter/venc/data/w32.zotob.b.html

Saw this coming last week but didn't post as I assumed MS would require the genuine windows check to download any fixes...:
http://www.techspot.com/news/18312-Major-Microsoft-security-hole-could-cause-disaster.html
http://www.theinquirer.net/?article=25284
http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20050809005938&newsLang=en
http://www.businessweek.com/ap/financialnews/D8BSKH180.htm?campaign_id=apn_home_down&chan=db

http://www.eeye.com/html/  <--- These are the guys who identified the problem and have posted a free scanner to see if your system is vulnerable

[Sirgod]

Thanks again Bonk.

Stephen

[FA Frey XC]

Nice call SirGod.

[Sirgod]

Anytime Bro. I want all of our users here D.net to be ready with there Pc's.

Stephen

[toasty0]

A new worm that was unleashed over the weekend affects only a limited group of Windows users and has not wreaked any widespread havoc, according to Trend Micro.
As of Monday morning on the West Coast, the original Zotob.A had infected about 50 computers worldwide, and the first variant, Zotob.B, had compromised about 1,000 systems, the antivirus software maker said.

"There are not that many infections," said David Perry, director of global education at Trend Micro.

The worm, which has spawned at least two variants, exploits a hole in the plug-and-play feature in the Windows operating system. It surfaced only days after Microsoft offered a fix for the "critical" bug as part of its monthly patching cycle.

While early reports on Zotob suggested it was spreading rapidly, the impact of the worm has actually been restricted because it targets PCs running Windows 2000, an older version of the software, Microsoft said. It poses no threat to computers running the newer Windows XP and Windows Server 2003, the company added.

"Only a small number of customers have actually been affected," said Stephen Toulouse, a program manager in Microsoft's security group. "It is not something that has any type of widespread impact on the Internet...It hits Windows 2000 customers very specifically."

Zotob appeared in record time after Microsoft's patch release, according to Trend Micro. "This is the fastest turnaround from the announcement of the vulnerability to an actual virus," Perry said.

Last Tuesday, Microsoft issued patches to fix the plug-and-play vulnerability in various versions of Windows. The bulletins included fixes for the newer Windows XP and Windows Server 2003, even though the software maker already said at the time that only PCs running Windows 2000 were susceptible to a remote attack via the vulnerability.

There are desktop and server versions of Windows 2000, which was released in 2000 for business users rather than consumers. More recent editions of Windows are available, but Windows 2000 remains popular. The operating system ran on 48 percent of business PCs during the first quarter of 2005, according to a recent study by AssetMetrix.

Users of Windows 2000 should be on guard, especially if they are not using a firewall, said Mikko Hypponen, director of antivirus research at software maker F-Secure. Zotob.A and Zotob.B scan the Internet for vulnerable systems using TCP port 445, a port typically blocked by a firewall, he said.

When a target system is found by Zotob, it installs a shell program on the computer that downloads the actual worm code, named Haha.exe, using FTP (File Transfer Protocol). The newly infected system then starts searching for new computers to compromise.

A second offshoot, Zotob.C, adds a mass-mailing capability, which means it can also spread by e-mail.

The worm itself doesn't have a destructive payload, but the first two versions do let the attacker commandeer the infected machine. "It leaves an open back door. It could download anything," Perry said.