Zotob Targets Windows Update Laggards

If you use Microsoft products but don’t download security updates every month, you might want to think twice. A worm discovered over the weekend targets computers that haven’t plugged a recently patched vulnerability.

Zotob.B has been identified as a low-risk threat by security firm Trend Micro, but if the user is infected with the worm, the damage and infection rate could spell trouble for Internet users.

It’s the second variant of the plug-and-play vulnerability under the Zotob name. Zotob.A is similar to Zotob.B in that it infects and replicates itself, but uses a file called “BOTZOR.exe” in the Windows systems directory. It, too, was discovered over the weekend.

The bug exploits a vulnerability in Microsoft’s plug-and-play code found in Windows 98/ME/NT/2000/XP/Server 2003. The Redmond, Wash.-based software giant released a patch for the vulnerability Tuesday as part of its monthly security patch update.

However, malware that targets the vulnerability started popping up on several hacking Web sites shortly after the critical fix — MS05-039 — was announced by Microsoft

The worm installs a program called “CSM.exe” inside a user’s Windows systems folder, where it then initiates an FTP server session and downloads a copy of itself. The worm then scans IP addresses for other unpatched machines, gets the FTP server to download a copy of “HAHA.exe” and repeats the process on the newly infected PC.

The exploit can also open a backdoor to the user’s PC for future use, opening random ports on the computer and connecting it to an IRC server where it waits for further commands.

Trend Micro’s World Virus Tracking Center started seeing spikes of infected computers Monday morning, though the spread seems limited to under 1,000 computers at present and only to computers in North America and Denmark.

The security firm has removal instructions for users who have been infected with the worm.

News Around the Web