Blogs » Digital Babble » Patch Time

Subscribe


Remember the other day when I told you how important it was to keep up with your Windows Updates?

It's time to patch up now.

From F-Secure
New worm known as Zotob using the MS05-39 Plug-and-Play vulnerability has been found.

This is nasty, as patches for this vulnerability have only been available for five days. Patch now.

The worm is based on Mytob and might be using exploit code published by 'houseofdabus' four days ago.

This whole case has a nasty ring to it...the infamous Sasser worm was released two days after houseofdabus released exploit code for the LSASS vulnerability.

However, Zotob is not going to become another Sasser. First of all, it will not infect Windows XP SP2 machines. It also won't infect machines that have 445/TCP blocked at the firewall. As a result, majority of Windows boxes in the net won't be hit by it.

This worm replicates by scanning random machines at port 445/TCP. When a victim is found, the exploit code downloads the main virus file via ftp from the scanning machine, sets up ftp server on the infected machine and starts scanning for more targets.

While we were adding detection of this worm, we found this message hidden inside the virus:

MSG to avs: the first av who detect this worm
will be the first killed in the next 24hours!!!

We detect Zotob with update 2005_08_14-01.


Ok, so you wondering, what does all of that mean up there?

It means that if your computer is vulnerable (doesn't have the updates that protect your pc) this worm will get to your computer if you are connected to the Internet. You don't have to open a certain webpage or email to get it, it will just attack your pc if you are online.

Microsoft released some new updates just a few days ago, so if you installed those you should be ok, also if you have Windows XP Service Pack 2 you are also in the clear.

Don't know what version of Windows you have? Click to see how you can determine that right here. (I know they spelled "menu" wrong but the instructions are correct). You can also find this info by right clicking on the "My Computer" icon on your desktop and selecting "Properties." If you look under the "System" heading you will see what version you have.

Trendmicro has a cool diagram and explanation of how Zotob works.