Zotob worm exploits Windows 2000 Plug and Play

New worms have surfaced that attack a critical vulnerability in Microsoft's Windows 2000 Plug and Play service. Over the weekend, two variants of a new worm, dubbed Zotob, have begun circulating, though neither variant has become widespread, researchers say.

The worms spread using the TCP/IP (Transmission Control Protocol/Internet Protocol) port 445, which is associated with Windows file sharing, and take advantage of the Plug and Play system bug to seize control of the operating system. Infected computers are then told to await further instructions on an IRC (Internet Relay Chat) channel, meaning that they could then be used to attack other systems, according to Johannes Ullrich, chief research officer with The SANS Institute, a Bethesda, Md., security training company.

The Zotob family also disables the Windows Update service and blocks access to certain Web sites, including eBay.com and amazon.com, Ullrich said.

Because Zotob can generally only affect unpatched Windows 2000 systems, which have also have an open port 445, it is unlikely to be widespread, Ullrich said. "It doesn't seem to be spreading fast," he said.

Microsoft released a patch for this Plug and Play vulnerability last Tuesday.

On Monday, Trend Micro had reported the existence of two Zotob variants, called Zotob.a and Zotob.b. The antivirus vendor referred to Zotob as "a failed attack," in a statement issued Monday, but cautioned that further variants could be forthcoming.

Users of Windows 95, 98 and ME are not susceptible to Zotob. Windows XP and Windows Server 2003 systems could be vulnerable in certain rare circumstances, however. In order for this to happen, the system's registry file would have to be altered to allow the computer to list system resources without requiring a login, a practice called "enabling Null sessions."

Null sessions are not enabled by default in Windows XP or Windows Server 2003, Ullrich said, and SANS has published instructions on how to check to see if they are enabled here: http://isc.sans.org/diary.php?date=2005-08-15.

Samples of code that could be used in a Plug and Play attack began surfacing late last week, just days after Microsoft disclosed the vulnerability, so the emergence of the Zotob worms does not come as a surprise. Exploit code for another recently disclosed vulnerability in the Internet Explorer browser was also published last week, but SANS has not yet seen this software used in attacks, Ullrich said.