Select Page

Contrary to your probable first impression, Zotob is NOT the third bastard child of Haruk the Klingon. 

In fact, it’s a nasty new worm that uses a vulnerability in Plug and Pray, allowing a remote attacker to control a Windows system remotely.

Windows 2000 systems are particularly at risk, although XP and 2003 Servers have a risk of infection.

According to Sans:

“The worm will download the main payload from the infecting machine. Once a machine is infected, it will become an ftp server itself. It will scan for open port 445/tcp. Once it finds a system with port 445 listening, it will try to use the PnP exploit to download and execute the main payload via ftp.

Important facts so far:
– Patch MS05-039 will protect you
– Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
– Blocking port 445 will protect you (but watch for internal infected systems)
– The FTP server does not run on port 21. It appears to pick a random high port.”

Patch those systems!

Note that in certain rare cases, Zotob can infect a Windows XP and Windows Server 2003 systems, if the computers were set up to enable Null sessions.  See PC World article here.

Alex Eckelberry 
(Tip ‘o the hat to Eric)