New Internet worm affects Windows users

[myidisbb]

http://news.yahoo.com/s/nm/20050815/ts_nm/singapore_virus_dc

SINGAPORE (Reuters) - A new Internet virus has been detected that can infect Microsoft's Windows platforms faster than previous computer worms, said an anti-virus computer software maker.

The ZOTOB virus appeared shortly after the world's largest software maker warned of three newly found "critical" security flaws in its software, including one that could allow attackers to take complete control of a computer.

The latest worm exploits security holes in Microsoft's Windows 95, 98, ME, NE, 2000 and XP platforms and can give computer attackers remote access to affected systems, said Trend Micro Inc..

"Hundreds of infection reports were sighted in the United States and Germany," Tokyo-based Trend Micro said in a statement released late last week.

"Since most users may not be aware of this newly announced security hole so as to install the necessary patch during last weekend, we can foresee more infections from WORM_ZOTOB," it said.

The latest virus drops a copy of itself into the Windows system folder as BOTZOR.EXE and modifies the system's host file in the infected user's computer to prevent the user getting online assistance from antivirus web sites, Trend Micro added.

It can also connect to a specific Internet relay chat server and give hackers remote control over affected systems, which can be used to infect other unpatched machines in a network and slow down the network performance.

Last Tuesday, Microsoft issued patches to fix its security flaws as part of its monthly security bulletin. The problems affect the Windows operating system and Microsoft's Internet Explorer Web browser.

Microsoft has warned that an attacker could exploit a vulnerability in its Internet Explorer Web browser and lure users to malicious Web pages, and could run a software code on the user's PC giving the attacker control of the affected computer.

Computer users should update their anti-virus pattern files and apply the latest Microsoft patches to protect their computer systems, Trend Micro said.

More than 90 percent of the world's PCs run on the Windows operating system and Microsoft has been working to improve the security and reliability of its software.

my take. this reminds me of DoLFaN's problem. ei host file

[nsane]

yeah, it does, makes me wanna run windows update. better yet, any word on what the exact port/protocol it uses, we could just firewall it? :huh:

[myidisbb]

yeah, it does, makes me wanna run windows update. better yet, any word on what the exact port/protocol it uses, we could just firewall it? :huh:

i had ran the latest win update few days ago. i dont know if they put in in the latest security update. sometimes win makes a fix then waits a few weeks. who knows.

in anycase i just search for "BOTZOR.EXE " in the window folder.

[erRor67]

Holy shit.. that affects all windows OS's..

Microsoft's Windows 95, 98, ME, NE, 2000 and XP

Im assuming you mean NT not NE. :huh:

[nsane]

yeah, too bad M$ dropped support for 9x a few months back (they're fucked) :huh:

[Guest justice4all]

this should be good for the sales of Vista then...

[erRor67]

Lol, I bet Vista is also affected.. just not listed cause its a private beta... ;)

[myidisbb]

Lol, I bet Vista is also affected.. just not listed cause its a private beta... ;)

i wonder if microsoft patch will even let you patch vista then. ms control freaks

[Lite]

i had ran the latest win update few days ago.  i dont know if they put in in the latest security update.  sometimes win makes a fix then waits a few weeks.  who knows.

in anycase i just search for "BOTZOR.EXE " in the window folder.

Depending on what variant you have....

csm.exe is the name of another variant of the worm :P

Also check your tasks list for "haha.exe"

Holy shit.. that affects all windows OS's..

Its not entirely correct however. The worm can function on Win98/ME, but doesnt do any damage. Also, it only targets systems running windows 2000, as such its progress is limited. Occarding to MS, win XP/ 2k3 are not effected. Trends research team isn't very good either. They have alot of "juniors", ie people with little experiance.

yeah, too bad M$ dropped support for 9x a few months back (they're fucked) ;)

See above

yeah, it does, makes me wanna run windows update. better yet, any word on what the exact port/protocol it uses, we could just firewall it?

Block access for ftp.exe on port 33333. And global access to port 445. Its not 100% protection however. Your anti-virus should detect it.

i wonder if microsoft patch will even let you patch vista then.  ms control freaks

Why do you use microsoft products then? You have a choice not to.

[DoLFaN]

I LOVE U LITE

lol, how cool is that? i was mentioned in a post!

sorry, i'm in a strange mood. Just pay zero attention to me...

[Lite]

Uhmm... DoLFaN, where wher u mentioned in a post?

[Zeus_Hunt]

Just in case if some1 is infected...

Check for Infection

When Zotob.A infects a computer, it attempts to deliver a malicious file named Botzor.exe. If your computer is infected, this file will be present and your registry will show changes. Use any of the following methods to check for infection. (If you find the file, you do not need to check the registry, and vice versa.)

Search your computer for the Botzor.exe file

1. Click Start, point to Search, and then click For Files and Folders.

2. Click Use Advanced Search Options. Under Search by any or all of the criteria below, enter the following information:

A. Under All or part of the file name: enter Botzor.exe.

B. Under Look in: click Local Hard Drives.

C. Under More Advanced Options, select Search system folders and Search hidden files and folders.

3.  Click Search.

Look for new keys added to the registry

•

In registry key HKLM\Software\Microsoft\Windows\

CurrentVersion\Run added value WINDOWS SYSTEM with data of botzor.exe

•

In registry key HKLM\Software\Microsoft\Windows\

CurrentVersion\RunServices added value WINDOWS SYSTEM with data botzor.exe

[DoLFaN]

Just read Lite, I know u british have a hard time of it...but i'm there ;)

lol jk

[Lite]

Just in case if some1 is infected...

Too bad those removal instructions suck.

Heres some better details:

Variant 1

Variant 2

I havent looked at the symantec site yet, but they have a good analyis generally too ;)

[Zeus_Hunt]

Bloody Hell no room for error...

Lite as sharp as ever... ;)

[Lite]

Sorry, if i came up a bit hard, but i would rather users know EXACTLY whats going on.

Mike (one of the main analysts at ESET and the person who did that write-up....), is an experianced analyst.

[nsane]

Update:

Network worms are shutting down computers running Microsoft's Windows 2000 operating system, security experts warned Tuesday. Computers across the United States are being hit, including those at cable news station CNN, television network ABC and The New York Times. Tokyo-based antivirus company Trend Micro blames the havoc on various worms, including the Zotob worm that hit the Internet over the weekend and new variants of the Rbot worm.

All of the worms exploit a security hole in the plug-and-play feature in the Windows 2000 operating system. Microsoft offered a fix for the bug as part of its monthly patching cycle last week. The software maker deemed the issue "critical," its most serious rating.

turns out there's more than one worm using the sploit ;) kinda stupid all those companies are using outdated software tho. if they would've taking the time/money to update to XP they wouldn't be having this problem ;)

Source: MSFN

[Guest oxygenuk]

so this is the next whatdya call it is it?

cant remember the name but it had ms***.exe something

[SliverSamuel]

This is getting serious... ;)