W32.Zotob.A

[ecross]

Discovered on: August 14, 2005

W32.Zotob.A is a worm that spreads using the vulnerability in Microsoft Windows Plug and Play Service (as described in Microsoft Security Bulletin MS05-039). For more details, see the following link.

http://www.sarc.com/avcenter/venc/data/w32.zotob.a.html

[liam858]

More on this here: http://www.heise.de/english/newsticker/news/62815



Liam

[SuperSparks]

And more here:

http://www.theregister.co.uk/2005/08/15/zytob_worm/

This looks like a nasty one. Anyone who hasn't got the latest Windows Updates (especially those running Windows 2000) should get them now.

[AlaricD]

And more here:

http://www.theregister.co.uk/2005/08/15/zytob_worm/

This looks like a nasty one. Anyone who hasn't got the latest Windows Updates (especially those running Windows 2000) should get them now.

That should go without saying-- however, some people think they or their machines are bulletproof. And when major companies are affected by these things, for which warnings and patches existed at least a week before the outbreak-- that's just sad.

[greengoose1]

The news today is reporting on Zotob.B and varients. MS is downplaying the threat while others say it is more severe.

Has anyone read that these are back door worms? A couple of reports indicated these worms can take over your computer without you clicking on whatever web page they are embedded in is why I am asking.

Anyway you look at it though in the end all this evolving malware will cost us little guys more out of our wallets.

As each MS operating system has come out on the market the size of them get bigger. Maybe we should have an OS the same size and concentrate on the holes more.

One thing for sure, we have not come close to stopping the bad guys.

[liam858]

Worm warning hits highest levels
McAfee adds IRCbot warning to Zotob landscape...

Users rushing to protect themselves from the Zotob worm are being warned not to take their eyes off other threats as McAfee raises its alert level on the newly discovered IRCbot to the highest alert.

The internet relay chat (IRC) worm spreads by exploiting a Microsoft vulnerability. Although a patch has been available since Microsoft announced the vulnerability on 9 August, the spread of the worm suggests users have been slow to apply it.

The MS05-039 vulnerability has also been leapt on by the virus writers who have launched the recent SDBot family of viruses, Rbot and the Zotob virus which has been causing pain for users around the world in the past 24 hours.

According to McAfee, the seven day turnaround of the vulnerability being announced and the appearance of the first exploit has been the quickest ever. The IRCbot was the first of the exploits to propagate en masse.

IRCbot.worm!MS05-039 contacts a remote IRC server and waits for further instructions, according to McAfee. It also copies itself to the Windows System directory, appearing as WINTBP.EXE. Registry keys are created to load the worm at start-up. If the system has not been patched it will continually reboot.

Liam

[beejay]

I am very glad to have guys at Virtual Doctor around. Although I have automatic updates switched on to advise me of any Win 2000 security updates, I still have not been warned by Microsoft directly about this latest problem. Even when I ask on the MS update page to scan my PC for any critical updates missing, I am still not told about Security Update KB899588. I only found it after reading the VDr posting and a separate email warning from McAfee.

Any ideas why the MS auto update failed to warn me?

[SpywareDr]

May be because Microsoft doesn't consider it "critical"?

Once you get to the http://windowsupdate.microsoft.com site, instead of clicking the "Express" button, click the "Custom" button and look in the left column for any other "non-critical" updates that may be available for your setup.

[beejay]

I see your point - though McAfee clearly thinks it to be critical.

On the same topic, though, can you explain the following :

I have downloaded Security Update KB899588 following VDR and McAfee's advice but it does not show up on the "Review your update history" option on the MS Update Website.

It does show up within Add / Remove Programs, however.

[liam858]

I have downloaded Security Update KB899588 following VDR and McAfee's advice but it does not show up on the "Review your update history" option on the MS Update Website.

Because it was a manual download and install it appears in Add/Remove, whereas if you had downloaded and installed the update through Windows Update the process would be logged in update history.


Liam

[beejay]

I now understand. Thanks.

[liam858]

No Problem.



Liam

[liam858]

Authorities Nab Zotob Writers

The FBI arrested two men in connection with this month's computer virus that wreaked havoc on computer networks at companies and government agencies throughout North America.

During a press conference today, federal officials said Farid Essebar, 18, of Morocco, and Atilla Ekici, 21, of Turkey, were arrested Thursday in their respective countries. They are charged in connection with writing and releasing the Zotob and Mytob worms, according to the FBI.

Essebar, who used the moniker "Diabl0," and Ekici, known as "Coder," are believed to have worked together on the viruses, although the FBI could not say if they had ever met in person.

Zotob, a fast moving virus, surfaced earlier this month after Microsoft warned of the security flaw. It hit several media outlets hard, including ABC, CNN, The Associated Press and The New York Times, among others.

The worm took advantage of the Windows Plug-and-Play vulnerability.

"This arrest demonstrates the value of public-private collaboration, the first-class investigative work by the authorities and round-the-clock technical and investigative support provided by our Internet Crime Investigations Team here at Microsoft," said Brad Smith, senior vice president and general counsel at Microsoft (Quote, Chart).

During a joint conference call with FBI officials, Smith said Microsoft's Internet Crime Investigations Team supported the investigation with international law enforcement immediately following the release of the two worms. The company provided technical information and analytical support to the FBI on this case, which was then shared with Moroccan and Turkish authorities.

Louis M. Reigel III, FBI Cyber Division assistant director, said the worm was in part written by both men.

Both countries are going to charge the men with crimes, although Reigel could not say which, because of varying laws regulating computer behavior.

Liam