Normally the mainstream media would scarcely mention a worm outbreak, even on a slow news day. Today is a different story, as the computers of CNN and other major media forces were crippled by the 'Zotob' virus. Apparently the outbreak was caused by infected laptops which made their way behind corperate routers, spreading the infection unhindered. CNN is claiming that the virus only affects Windows 2000 workstations, but according to Symantec this is erronious. In fact, Symantec claims that 'W32.Zotob.D', as it's called, also affects Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, and Windows XP (both Home and Pro). As always, Linux, Mac and other operating systems are exempt. It seems the purpose of this particular worm is to infect MS Windows through port 445 (the SMB or 'file and print sharing' port). Once in place, the worm mutates, copies itself, changes registry keys, connects to one of many IRC servers, and starts an FTP server on port 1117. Afterwards, it attempts to reproduce using the same methods by which it was infected. You can protect yourself from infection by disabling file and print sharing on any vulnerable systems which are not used explicitly for that purpose. Follow the story at Information Week and of course CNN.
An interesting side effect is the fact that W32.Zotob.D actually searches for the following files and folders to delete the files and the contents of folders: * %SYSTEM%\pnpsrv.exe * %SYSTEM%\winpnp.exe * %SYSTEM%\csm.exe * %SYSTEM%\botzor.exe * %PROGRAMFILES%\MyWebSearch * %PROGRAMFILES%\MyWebSearch\*.exe * %PROGRAMFILES%\Hotbar * %PROGRAMFILES%\Hotbar\*.exe * %PROGRAMFILES%\MyWay * %PROGRAMFILES%\MyWay\*.exe * %PROGRAMFILES%\180Solutions * %PROGRAMFILES%\180Solutions\*.exe * %PROGRAMFILES%\Common Files\WinTools * %PROGRAMFILES%\Common Files\WinTools\*.exe * %PROGRAMFILES%\Toolbar * %PROGRAMFILES%\Toolbar\*.exe * %PROGRAMFILES%\CxtPls * %PROGRAMFILES%\NavExcel * %PROGRAMFILES%\AutoUpdate * %PROGRAMFILES%\AutoUpdate\AutoUpdate.exe * %PROGRAMFILES%\EbatesMoeMoneyMaker * %PROGRAMFILES%\eZula * %PROGRAMFILES%\eZula\mmod.exe * %PROGRAMFILES%\Common Files\GMT * %PROGRAMFILES%\Common Files\GMT\GMT.exe * %PROGRAMFILES%\Common Files\CMEII That stuff is all spyware -- it's actually removing certain types of spyware as it does it's thing. Perhaps because spyware hinders botfarm productivity?
