The Worm - Zotob

[James E. Morrow]

The worm Zotob is reported to be on the loose. Microsoft has opened up
its "War Rooms" and the computers of the U.S. Senate are said to be
infected. Windows 2000 boxes are said to be the only ones at any real
risk. Surprise!

Symptoms include shutdown and frequent rebooting. A patch is available
from Microsoft at www.Microsoft.com/security.

http://www.microsoft.com/security/incident/zotob.mspx


http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/index.html

This message is for general information. I know the real professionals
in this group don't need to be told any of this, but it doesn't hurt to
repeat it.

 

[you know who maybe]

What I wanted to know is how they got infected in the first place? Did a
user go to a website, open an attachment, or download a file via FTP?

 

[me]

What I wanted to know is how they got infected in the first
place? Did a user go to a website, open an attachment, or
download a file via FTP?

http://www.Europe.F-Secure.com/v-descs/bozori_a.shtml

J

 

[Virus Guy]

What I wanted to know is

This is the only thing you need to know about this worm:

Non-Affected Software:

Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE),
and Microsoft Windows Millennium Edition (ME)

 

[Colon Terminus]

http://www.Europe.F-Secure.com/v-descs/bozori_a.shtml

J
--

I guess no one knows exactly how this worm is contracted.
I've not seen a clear, concise explanation anywhere on the myriad of sites
I've visited.

 

[you know who maybe]

http://www.Europe.F-Secure.com/v-descs/bozori_a.shtml

IRC

 

[Gabriele Neukam]

On that special day, Colon Terminus, ([email protected])
said...

I guess no one knows exactly how this worm is contracted.
I've not seen a clear, concise explanation anywhere on the myriad of sites
I've visited.

It added the PnP vulnerability exploit to various other exploits that
had already been implemented, and becaus of that spread rather fast.

But I bet if someone has a closer look, (s)he might find well known
portions in the source. Some sites said, there seemed to be weird
contest going on, where bot A tried to remove bot B, and then a bot C
came and removed bot A, in turn.

http://www.f-secure.com/weblog/


Gabriele Neukam

(e-mail address removed)

 

[Buffalo]

What I wanted to know is how they got infected in the first place? Did a
user go to a website, open an attachment, or download a file via FTP?

I read that it can be spread by email as a picture attachment.
Here is the link if you are interested:
http://www.eweek.com/article2/0,1895,1849337,00.asp

"The unusual number of news organizations hit may have been due to a Zotob
variant, Zotob.C, that spread over e-mail and disguised the worm file as a
picture attachment. One or more reporters used to receiving photos via e-mail
may have been the source of the infection, which then spread to vulnerable
machines on the corporate networks of those companies, and through stolen e-mail
contacts to other news organizations, according to an e-mail from Alan Paller,
director of research at SANS."

 

[Roger Wilco]

I read that it can be spread by email as a picture attachment.

They say (more appropriately) "disguised" as a picture attachment.

 

[Buffalo]

They say (more appropriately) "disguised" as a picture attachment.

Thank goodness, I included the link.

 

[kurt wismer]

I guess no one knows exactly how this worm is contracted.
I've not seen a clear, concise explanation anywhere on the myriad of sites
I've visited.

from the page listed above:
"The backdoor has the ability to spread to remote computers using the
PNP exploit on port 445. If the attack is successful a shell (cmd.exe)
is started on port 8594. Through the shell port, the worm sends a tftp
script which instructs the remote computer to download and execute the
worm from the attacker computer using built-in TFTP server listening on
port 69."

that seems pretty clear to me...

 

[Colon Terminus]

I read that it can be spread by email as a picture attachment.
Here is the link if you are interested:
http://www.eweek.com/article2/0,1895,1849337,00.asp

"The unusual number of news organizations hit may have been due to a Zotob
variant, Zotob.C, that spread over e-mail and disguised the worm file as a
picture attachment. One or more reporters used to receiving photos via e-mail
may have been the source of the infection, which then spread to vulnerable
machines on the corporate networks of those companies, and through stolen e-mail
contacts to other news organizations, according to an e-mail from Alan Paller,
director of research at SANS."

Bingo!

Spreads via email. Wonder why that info was so difficult to drag outta the
information providers. All the initial reports were quite vague in this
regard leaving reader confused as to how the bug spread. Most in my circle
believed it was only spread via IRC and therefore they, as non users of
IRC, didn't need to be concerned.

Thanks for the enlightenment.

 

[Buffalo]

Bingo!

Spreads via email. Wonder why that info was so difficult to drag outta the
information providers. All the initial reports were quite vague in this
regard leaving reader confused as to how the bug spread. Most in my circle
believed it was only spread via IRC and therefore they, as non users of
IRC, didn't need to be concerned.

Thanks for the enlightenment.

You're welcome,
Buffalo

 

[Tore Lund]

Spreads via email. Wonder why that info was so difficult to drag outta the
information providers.

Some of the info says quite explicitly that it is also able to spread
via port 445. Since most users probably don't know how to close port
445 to intruders, this is worth emphasizing.

 

[Buffalo]

Some of the info says quite explicitly that it is also able to spread
via port 445. Since most users probably don't know how to close port
445 to intruders, this is worth emphasizing.

Very true.