NEWS FROM THE LAB - Sunday, August 14, 2005

New worm using a fresh exploit found Posted by Mikko @ 12:24 GMT

New worm known as Zotob using the MS05-39 Plug-and-Play vulnerability has been found.

This is nasty, as patches for this vulnerability have only been available for five days. Patch now.

The worm is based on Mytob and might be using exploit code published by 'houseofdabus' four days ago.

This whole case has a nasty ring to it...the infamous Sasser worm was released two days after houseofdabus released exploit code for the LSASS vulnerability.

However, Zotob is not going to become another Sasser. First of all, it will not infect Windows XP SP2 machines. It also won't infect machines that have 445/TCP blocked at the firewall. As a result, majority of Windows boxes in the net won't be hit by it.

This worm replicates by scanning random machines at port 445/TCP. When a victim is found, the exploit code downloads the main virus file via ftp from the scanning machine, sets up ftp server on the infected machine and starts scanning for more targets.

While we were adding detection of this worm, we found this message hidden inside the virus:

  MSG to avs: the first av who detect this worm
  will be the first killed in the next 24hours!!!

We detect Zotob with update 2005_08_14-01.