Less than a week after Microsoft issued a patch, someone has exploited the Plug-and-Play vulnerability described in Microsoft's August 2005 Security Bulletin MS05-039, affecting Windows 2000 installations. The Zotob (w32.zotob.worm) worm family scans the Internet looking for unpatched Windows 2000 machines, then downloads malicious code to those machines via remote access. Once infected, a machine is unable to contact antivirus vendors for help, then it attempts to download more code (possibly malicious) from an additional site. Only Windows 2000 users who have not patched their machines and are not running a desktop firewall are considered vulnerable at this time; users of Windows 95, 98, and Me are not considered to be targets, but without a personal firewall, these machines could be used to help scan for vulnerable machines. Windows XP SP2 users should be safe unless they have enabled Null sessions. Users of Mac OS X, Linux, and Unix are not affected. Because members of the Zotob worm family spread via the Internet, allow remote access, and could damage system files, these worms (collectively) rate a 6 on the CNET/ZDNet Virus Meter.

How it works
There are now several members in the Zotob family. The following list aggregates information from all antivirus vendors:

Zotob.a

Filename: botzor.exe
File size: 22,528 bytes
Uses ports: TCP 445, 8080,33333

• Opens FTP server on port 33333.
  
• Copies 2pac.txt and haha.exe to the system directory.
  
• Adds itself to system registry.
  
• Modifies Hosts file to block antivirus and security app updates.

Zotob.b

Filename: csm.exe
File size: 27,648 bytes
Uses ports: TCP 445, 8080, 33333

• Opens FTP server on port 33333.
  
• Copies files 2pac.txt and haha.exe to the system directory.
  
• Adds itself to system registry.
  
• Modifies Hosts file to block antivirus and security app updates.

Zotob.c

Filename: per.exe
File size: 41,984 bytes
Uses ports: TCP 445, 8080, 33333

• Mass-mailing worm with a predefined list of recipient names
  
• Contains its own SMTP engine to send e-mail.
  
• Opens FTP server on port 33333.
  
• Adds itself to system registry.
  
• Modifies Hosts file to block antivirus and security app updates.

Zotob.d

Filename: windrg32.exe
File size: 51,326 bytes
Uses ports: TCP 445, 1117, 6667

• Opens FTP server on port 11173.
  
• Attempts to end a variety of processes.
  
• Adds itself to system registry and deletes other registry files.
  
• Deletes a variety of files from the system and program files directories.
  
• Adds itself to the run and run services in the registry.
  
• Modifies Hosts file to block antivirus and security app updates.

Zotob.e

Filename: wintbp.exe
File size: 10,366 bytes
Uses ports: TCP 8594, 8080, 445: UDP 69

• Opens TFTP server on port UDP 69.
  
• Connects to IRC server at 72.20.27.115 on TCP port 8080.
  
• Adds itself to the system registry.
  
• Modifies Hosts file to block antivirus and security app updates.

Zotob.f

Filename: wintbpx.exe
File size: 10,878 bytes
Uses port: TCP 445

• Adds itself to the system registry.
  
• Creates a file named %Temp%\[NUMBER] containing TFTP scripts.
  
• Connects to IRC server at 72.20.41.139.
  
• Modifies Hosts file to block antivirus and security app updates.

Zotob.g

Filename: windrg32.exe
File size: 73,728 bytes
Uses ports: TCP 445,6667,1171

• Attempts to connect IRC servers on port 6667.
• Attempts to end a variety of processes.
• Modifies the registry and deletes a variety of registry entries.
• Deletes a variety of files from the system.
• Creates a file named %Temp%\[NUMBER] containing TFTP scripts.
• Opens a TFTP server on port 1171.
• Modifies Hosts file to block antivirus and security app updates.

Prevention
If you are using Windows 2000 or running Windows XP SP1, download and install the Plug-and-Play vulnerability patch described by Microsoft in its August 2005 Security Bulletin MS05-039. Windows 95, 98, and Me systems are not vulnerable to this worm. Windows XP SP2 users should be safe unless they have enabled Null sessions. All updated Windows systems running a two-way desktop firewall should be immune to Zotob.

Removal
Most antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.