NEWS FROM THE LAB - Monday, August 15, 2005

Another Zotob Posted by Jarkko @ 09:59 GMT

Shortly after Zotob.A, another variant, named as Zotob.B appeared. This one is almost identical to previous variant. See the description of Zotob.B for more information. We detect this Zotob with update 2005_08_15-02.

Also, there is some confusion on what exploits Zotob uses. The variants we know use only PnP exploit (MS05-039). They don't use any other exploits (for example LSASS). Maybe Zotobs are being confused to other IRC bots using the PnP exploits. There are several of these in the wild now.