Contrary to your probable first impression, Zotob is NOT the third bastard child of Haruk the Klingon.
In fact, it’s a nasty new worm that uses a vulnerability in Plug and Pray, allowing a remote attacker to control a Windows system remotely.
Windows 2000 systems are particularly at risk, although XP and 2003 Servers have a risk of infection.
“The worm will download the main payload from the infecting machine. Once a machine is infected, it will become an ftp server itself. It will scan for open port 445/tcp. Once it finds a system with port 445 listening, it will try to use the PnP exploit to download and execute the main payload via ftp.
Important facts so far:
– Patch MS05-039 will protect you
– Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
– Blocking port 445 will protect you (but watch for internal infected systems)
– The FTP server does not run on port 21. It appears to pick a random high port.”
Note that in certain rare cases, Zotob can infect a Windows XP and Windows Server 2003 systems, if the computers were set up to enable Null sessions. See PC World article here.
Alex Eckelberry
(Tip ‘o the hat to Eric)