Source: http://www.microsoft.com/presspass/press/2005/aug05/08-16zotob.mspx
Editor's Note, August 17, 2005 -- The statement has been updated to include new information on Zotob and how Windows 2000 customers can protect themselves from the worm.
REDMOND, Wash., August 16, 2005 -- Microsoft has made a no-cost, software-based cleaner tool available that customers can use to automatically remove the Zotob worm and its variants from infected PCs after deploying the security update. The tool is available at: http://www.microsoft.com/malwareremove.
We are not aware at this time of a new attack; our analysis has revealed that the reported worms are variants of the existing worm called Zotob. Zotob has thus far had a low rate of infection compared to other network worms. Microsoft attributes this lower impact to customers who have taken on more of a “maintenance mindset” -- practicing good security behaviors and using newer and more secure versions of software.
Zotob only targets Windows 2000. Customers who have upgraded to Windows XP—as well as customers who have applied the MS05-039 security update to Windows 2000—are not impacted by this attack. The MS05-039 security bulletin is available at http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx or users can use Windows Update or Microsoft Update to access the latest security update.
Microsoft is working closely with law enforcement to help identify and bring to justice those responsible for this malicious activity. At the same time, Microsoft is working closely with the anti-virus community and other industry partners to help protect our customers. Customers using a firewall are generally protected against the Zotob threat.
This update resolves a newly-discovered, privately-reported vulnerability. A remote code execution vulnerability exists in Plug and Play (PnP) that could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The vulnerability is documented in the “Vulnerability Details” section of this bulletin.
We recommend that customers apply the update immediately.
Here is a status update on the malware using the Plug-and-Play vulnerability (MS05-039).
For the last four days we got 11 different samples of malware using this vulnerability. Currently there are three Zotob variants (.A, .B and .C), one Rbot (.YK), one Sdbot (.ADB), one CodBot, three IRCbots (.ES, .ET and .EX) and two variants of Bozori (.A, .B).
Variants from both IRCBot and Bozori families are deleting competing PnP bots.
It seems there are two groups that are fighting: IRCBot and Bozori vs Zotobs and the other Bots.
No Comments