Contrary to your probable first impression, Zotob is NOT the third bastard child of Haruk the Klingon. 

In fact, it’s a nasty new worm that uses a vulnerability in Plug and Pray, allowing a remote attacker to control a Windows system remotely.

Windows 2000 systems are particularly at risk, although XP and 2003 Servers have a risk of infection.

According to Sans:

“The worm will download the main payload from the infecting machine. Once a machine is infected, it will become an ftp server itself. It will scan for open port 445/tcp. Once it finds a system with port 445 listening, it will try to use the PnP exploit to download and execute the main payload via ftp.

Important facts so far:
– Patch MS05-039 will protect you
– Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
– Blocking port 445 will protect you (but watch for internal infected systems)
– The FTP server does not run on port 21. It appears to pick a random high port.”

Patch those systems!

Note that in certain rare cases, Zotob can infect a Windows XP and Windows Server 2003 systems, if the computers were set up to enable Null sessions.  See PC World article here.

Alex Eckelberry 
(Tip ‘o the hat to Eric)

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.