, SecurityFocus 2005-08-14
A worm started spreading on Sunday using a flaw in the Windows operating system's Plug-and-Play functionality, according to two security groups, who advised users to update systems using a patch released by Microsoft five days ago.
The worm, dubbed Zotob by antivirus firm F-Secure, started spreading early Sunday morning, according to a statement posted by the company. The security firm did not post any additional information about the extent of the digital epidemic, however.
F-Secure's researchers do not believe that the worm will widely infect computer systems.
"Zotob is not going to become another Sasser," F-Secure's researchers said on the virus lab's blog. The worm does not infect computers running Windows XP Service Pack 2 nor Windows 2003, as those systems are somewhat protected against the Windows Plug-and-Play vulnerability. Machines that block port 445 using a firewall will also not be vulnerable, the company said. "As a result, the majority of Windows boxes on the Net won't be hit by (the worm)," the blog stated.
The worm is the first major program since the Sasser worm to target a vulnerability in Microsoft Windows computers to spread. The Sasser worm started spreading on April 30, 2004, using a vulnerability in a Windows component known as the Local Security Authority Subsystem Service, or LSASS. While it's unknown how far the worm spread, a week into the outbreak Microsoft said that 1.5 million users had downloaded a cleaning tool for the worm. The Blaster worm had infected about 10 million users, according to Microsoft estimates.
The Zotob worm uses a flaw in Microsoft Windows' Plug-and-Play capabilities, which the software giant had patched five days before, on August 9. The worm compromises systems by sending data on port 445. If a computer is infected with the program, the worm starts a file-transfer protocol (FTP) server and attempts to spread further, according to an analysis by the Internet Storm Center, a group of volunteers who monitor network threats on behalf of the SANS Institute.
The group received reports of the worm as early as 7:30 a.m. EST, according to the ISC's daily diary.
On Friday, the Internet Storm Center upgraded their threat level for the Internet to yellow, because three different groups had published code for taking advantage of the Microsoft Windows' Plug-and-Play flaw to compromise Windows machines. Windows 2000 systems are especially vulnerable to the exploits.
Microsoft's investigation into the worm indicated that it only infects Windows 2000 systems.
"Microsofts investigation into this malicious act is ongoing so that we can continue to understand how we can help support customers," the company stated in an advisory posted Sunday. "We are working closely with our anti-virus partners and aiding law enforcement in its investigation."
The company verified that any system patched by its update released last Tuesday will not be infected by the worm.