Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Worms Security Media

Zotob Worm Hits CNN and Goes Global 522

securitas writes "The Zotob MS05-039 worm mentioned on Slashdot last Sunday may be the most recent virus that has gone global, hitting Windows 2000 desktops at CNN, ABC, the New York Times, and many others. The virus is spreading around the world rapidly as compromised systems become bots and propagate the worm, with reported outbreaks in Germany and China. InformationWeek has a decent article titled Zotob Proves Patching "Window" Non-Existent. Microsoft calls it a "low impact" threat and tells you What you should know about Zotob. Symantec has W32.Zotob.D removal instructions. Trend Micro thinks that this is a new, different worm altogether and says it is one of the fastest-spreading infections in history."
This discussion has been archived. No new comments can be posted.

Zotob Worm Hits CNN and Goes Global

Comments Filter:
  • by ackthpt ( 218170 ) * on Tuesday August 16, 2005 @06:45PM (#13334995) Homepage Journal
    • If computer is Apple, No
    • If OS is Linux, No
    • If OS is Windows variant, Could be
    • If OS is Windows 2000, Could be
    • If Search finds Botzor.exe in your filesystem, Definitely
      • What do I do?
      • Ignore it, like millions of others.
  • by Kelson ( 129150 ) * on Tuesday August 16, 2005 @06:45PM (#13334997) Homepage Journal

    The Internet Storm Center's take [sans.org] on this is also interesting. As far as they can tell, the infection at the three news outlets is more-or-less isolated:

    Speculating: The fact that CNN, ABC and the NYTimes got it may be as simple as reporters from these organizations visiting the same event and connecting to an infected network. While a firewall may have protected their office network up to now, these infected laptops where able to take out the network from the inside once they connected back to it.
    • by Jeremiah Cornelius ( 137 ) on Tuesday August 16, 2005 @06:56PM (#13335085) Homepage Journal
      Appalling security for these folks. Bucket-brigade virus infections. Now you know how to take one of these orgs out - drop a nasty on the lobby jacks.
    • by Gary W. Longsine ( 124661 ) on Tuesday August 16, 2005 @07:44PM (#13335447) Homepage Journal
      There are other possible infection vectors, but that one is most likely. Corporations would never expose Windows systems directly on the internet, but they buy laptops by the truckload, allow users to take them anywhere, then bring them back into the office and hook them up as though they were not any different than your nice safely-protected behind the firewall chained to the desktop system -- as though they hadn't been handed over to organized crime for a few days, for example. It's really not rational, but it's almost universal practice.
      ABC News on the worm [go.com]
      "CNN, breaking into regular programming, reported on air that personal computers running Windows 2000 at the cable news network were affected by a worm that caused them to restart repeatedly."
      We have seen this at a government client this week. It appears that the worm authors didn't test on Windows 2000 SP3. Several variants cause the target system to reboot when they attempt to exploit the MS05-039 defect on systems older than Windows 2000 SP4, apparently without infecting the target. The issue could be more subtle than that, perhaps systems running a particular hotfix or something like that, but I haven't had a chance to dig deeper on this point.

      People tend to panic when all the PCs around them are crashing every few minutes instead of every few hours or days like normal (depending on patch level and usage pattern). The first assumption they tend to make is that the crashing computers were infected, but in this case that doesn't seem to be happening. A different worm on a different day, of course, might very well crash them after a successful infection, rather than before, so best not to get too cozy because of a small bit of luck.

      It hasn't received much publicity, but if you're a network administrator battling this problem, you may have trouble patching your systems because they crash too quickly. You might want to disable NULL sessions [brown.edu] on the Windows 2000 systems which haven't been patched yet. It appears that this will prevent an infection of an unpatched Windows 2000 system, allowing you more time to patch. (Patches being larger and the systems not staying up long enough to distribute a large package and whatnot.) I haven't yet been able to determine if the UPnP vulnerability could be exploited with NULL sessions disabled, but apparently the current crop of worms and bots all rely on it.
    • by acomj ( 20611 ) on Tuesday August 16, 2005 @07:46PM (#13335471) Homepage
      Where I work, we have classes. And the instructor takes his notebook out and hooks into the network, pulls his powerpoint. During the class a window pops up... Oh, he says, its just a virus, it pops up from time to time, and procedes to reboot and keep going.

      After class the computer goes back in the bag for a month, as he has a desktop in his office. The virus hibernates....

      Our IT folks must love this..
  • MS says.. (Score:5, Insightful)

    by Turn-X Alphonse ( 789240 ) on Tuesday August 16, 2005 @06:45PM (#13335002) Journal
    It doesn't effect Windows XP, so Microsoft will just go "You should of updated". Which will lead to more sales of XP by the masses beliving they need the latest OS to "be safe".
    • Re:MS says.. (Score:3, Insightful)

      by Anonymous Coward
      Well it's true, isn't it?

      I don't run vulnerable versions of the Linux kernel either, do you?
      • Re:MS says.. (Score:5, Insightful)

        by (startx) ( 37027 ) <slashdotNO@SPAMunspunproductions.com> on Tuesday August 16, 2005 @07:23PM (#13335264) Journal
        I don't run vulnerable version of the Linux kernel, but then again I don't have to pay to upgrade either.
      • Re:MS says.. (Score:3, Insightful)

        I think using 2000 instead of XP is more akin to running kernel 2.4 instead of 2.6 than running a 'vulnerable' version of the kernel. Remember that older Linux kernels are still maintained, and used by many people who require specific features that were changed in more recent versions.

        I think the same can be said of many Windows 2000 users, who may not like a lot of the interface changes made to XP (and, yes, that goes beyond the Luna theme, which I realize is merely a default). Of course, as others noted
        • and the like are all in a hard place.

          As much as they would like very much to have a stable OS (OS X, Linux, BSD. any stable OS, dag nabbit,) they have developped software on their own for their own purposes (Microsoft doesn't make everything, ya kno',) and their budgets don't allow for the kinds of redeployment costs associated with a new OS or even a new version of an old OS. (The roll out costs to Microsoft's clients dwarfs the cost of the OS. If only it wasn't a POS.)

          I was working at a client's who were
    • Re:MS says.. (Score:2, Informative)

      by Guspaz ( 556486 )
      What are you talking about? This virus does affect Windows XP. WinXP is a Windows 2000 based OS.

      Microsoft has released patches for this that cover Windows XP as well as 2000 and 2003:

      http://www.microsoft.com/technet/security/bulletin /MS05-039.mspx [microsoft.com]
      • Re:MS says.. (Score:5, Informative)

        by cnettel ( 836611 ) on Tuesday August 16, 2005 @07:24PM (#13335283)
        It requires authentication, though. So, if you are not wide-open for file sharing through SMB or something, you will need to be infected by a machine that already has login credentials for some machine. So, it's remote privilege elevation on XP, but not form an anonymous user, making the threat much lower. Until that trsuted, unpatched 2000 machine enters the LAN.
        • Re:MS says.. (Score:4, Informative)

          by Tony Hoyle ( 11698 ) <tmh@nodomain.org> on Tuesday August 16, 2005 @07:44PM (#13335448) Homepage
          Except if 'simple' (aka. broken) file sharing is enabled, as it is on XP Home, it'll let anyone in as guest. It's implemented at the NTLM auth level.. as I've found to my cost with SSPI based applications (the workaroud is to check the registry for the setting and warn the user they disabled their security...).
    • by account_deleted ( 4530225 ) on Tuesday August 16, 2005 @07:16PM (#13335213)
      Comment removed based on user account deletion
  • All of a sudden (Score:5, Insightful)

    by inode_buddha ( 576844 ) on Tuesday August 16, 2005 @06:46PM (#13335003) Journal
    All of a sudden, a worm makes mainstream news because it invaded CNN's network. I guess that is a sad indicator of what it takes to raise awareness.
    • All of a sudden, a worm makes mainstream news because it invaded CNN's network.

      They've usually reported on worms in the past.

      What's different in this case is that they explicitly said it affects Microsoft systems. In the past, they would usually (but not always) say, "there's a new virus going around and every computer in the world is vulnerable." I would complain to them about not specifying the OS, comparing it to reporting on a new safety flaw in cars without naming the make and model.

    • by qyiet ( 851101 ) on Tuesday August 16, 2005 @07:46PM (#13335469)
      It could have done us all a favor, and infected Fox's network.
    • Re:All of a sudden (Score:5, Insightful)

      by fdiskne1 ( 219834 ) on Tuesday August 16, 2005 @07:49PM (#13335495)
      I was in the process of testing the latest patches and was planning on expanding them out to the rest of the couple of thousand machines later in this week. I heard about the exploits available online when I woke up Sunday morning. I worked on Sunday making sure the couple of thousand machines we have were patched. By the time I was done, two viruses taking advantage of the vulnerability were in the wild so I got the signatures updated in case any machines were missed by the auto update I started. Today as I was about to leave, someone up the chain of command (not in a direct line of management with IT, thankfully) with no IT knowledge called, nearly in a panic. "My mother just called and CNN is calling this one of the worst viruses ever." I figured, "Yeah, she read a virus hoax email." She conference me in with her mother so I could hear what CNN was saying. I have never heard so much hype over such a minor virus before. From what I heard, it sounded like they were way over the top. I calmly explained to them the process I went through and when. CNN is reporting it two days later. I know this is a new version, but jeeze. Haven't these companies learned from previous virus events? I'm glad I stopped watching major media news.
    • and for hours, only the international edition of CNN carried it on the front page. The US edition didn't. Actually, BBC wasn't much better, with just a small link on the side at the top of its news page.

      I'm not really surprised, just sad. Celebrities hold more interest in the US than most other news stories, and forget international news, unless it involves (some of the many) ongoing wars.
  • by Saint Aardvark ( 159009 ) * on Tuesday August 16, 2005 @06:46PM (#13335005) Homepage Journal
    ... from the ever-excellent In [sans.org]http://isc.sans.orgternetstorm/ [isc.sans.orgternetstorm] Center:
    Likely this is an isolated event, which became newsworthy because CNN got infected. We do not see any new threats at this point. Zotob keeps mutating and finding new victims. As seen with prior TCP worms, it is reaching its peak around 3 days after the outbreak.

    As reported by Slashdot [slashdot.org] t'other day, they raised their threat level from Green to Yellow. They explain why they moved back to Green:

    We moved to 'Yellow' on Friday, after we did see a number of exploits released for last weeks Microsoft Windows vulnerabilities, in particular MS05-039 (PnP) which is exploitable remotely.

    As expected, we did see various bots, in particular 'Zotob' take advantage of this vulnerability. At this point, the situation is however static. New bot variations keep getting developed, but they do not add any fundamental new variation of the exploit. We expect that most exploitable systems have been compromised at this point.

    [....] Yes, the Internet is still "broken", but it was never working all that well to begin with. The Infocon is intended to measure change. We can't stay on yellow for ever.

  • *Moderate* severity (Score:3, Interesting)

    by the_skywise ( 189793 ) on Tuesday August 16, 2005 @06:46PM (#13335008)
    Dunno if the slashdotting did it, But MS's site now says it's a Moderate Severity risk.

    Or code Bert...
  • by Kafka_Canada ( 106443 ) on Tuesday August 16, 2005 @06:46PM (#13335011)
    hitting Windows 2000 desktops at CNN, ABC, the New York Times, and many others.

    Hm, must be a Karl Rove plant.

    Or else it's just another victory in the GWOT?
    • Microsoft, a few days ago: "Worms are coming. Here's the patch. Secure your systems."

      NYT/CNN/ABC: "Yawn. We don't see any worms. Stop trying to scare us. It's acceptable to lose a few LANs so we don't have our right to pr0n infringed, or something."

      Today: Worm hits.

      NYT/CNN/ABC: "It's Karl Rove's fault!"

      FOX: "Our networks are fine. Who's the dumbass now?"

      Microsoft: "Good thing people too stupid to run Windows Update are also too stupid to run Linux."
  • by craznar ( 710808 ) on Tuesday August 16, 2005 @06:47PM (#13335024) Homepage
    160 dead in Venezuela Crash, Gaza Pull out and Paul Abdul's Idol issues.

    I doubt it - yet it's front page on CNN.COM...
  • I wonder... (Score:5, Interesting)

    by pointguy ( 761068 ) on Tuesday August 16, 2005 @06:48PM (#13335029)
    ... how many computers Apple will sell because of this?
  • Microsoft calls it a "low impact" threat and tells you What you should know about Zotob.

    "Low impact" in the sense of how low you would be if a meteorite impacted you crown-first.
    • Re:Impact (Score:3, Informative)

      The Caterpillar plant I work at was down for over 16 hours, I doubt they would consider it low impact in light of the profit lost, as a result. Maybe they will switch to Linux.

      Then again, they don't hire people based on their qualifications, multiplying any estimated repair time by ~10 and you come close to the actual down-time time in our facility.
  • Cue wild speculation (Score:3, Interesting)

    by saskboy ( 600063 ) on Tuesday August 16, 2005 @06:49PM (#13335037) Homepage Journal
    Now that media is directly affected, they will start proclaiming that this worm is the worst ever, and has caused billions of dollars in losses for businesses.

    Media worm hype really sucks, is my point.

    What I found amusing today were the two alert emails in my inbox. The first one was a warning about the new Acrobat flaw [which makes it a requirment to install a bad version of Acrobat, and then patch it *3* times to fix it!]. Then next email was one about this Zotob worm spreading through the PnP ethernet bug in Windows 2000 - but the information came via a .pdf file!
  • Payload (Score:5, Funny)

    by Teclis ( 772299 ) on Tuesday August 16, 2005 @06:50PM (#13335045) Homepage
    "Gives a remote attacker full control over the compromised computer to perform various actions, including:

    Downloading and executing files
    Making queries to www.google.com ..."

    Making queries to google? Sounds like a very round-about way to search google. What is the purpose of this?

  • ISC [sans.org] is still showing green. To quote directly from the handler:

    "CNN is heavily covering an outbreak of a worm in its own network. They are reporting that ABCNews and NYTimes are hit as well. All statements so far make this look like a Zotob variant, even though this variant appears to reboot the system. (Zotob.d ?).

    Likely this is an isolated event, which became newsworthy because CNN got infected. We do not see any new threats at this point. Zotob keeps mutating and finding new victims. As seen with prior


  • Microsoft says this virus has medium impact, not low as the submitter says. Is the submitter perhaps spreading some FUD of his own or did MS upgrade the threat?
  • All j00r base are belong to us!
  • by tfcdesign ( 667499 ) on Tuesday August 16, 2005 @06:53PM (#13335065) Journal
    What virus?
  • by Penguinshit ( 591885 ) on Tuesday August 16, 2005 @06:54PM (#13335069) Homepage Journal

    The executable in this particular instance is "wintbp.exe". I thought at first it might be a randomly-named executable, but all 100+ systems I'm manually disinfecting at the moment have the same executable. It tries to connect to other systems via port 445, aka the "Magic Windoze Port"(tm).

    Apparently all it's doing is rebooting systems, but I haven't done any kind of a postmortem so don't know. I haven't detected any other connection attempts either inside or outside.

    Manual disinfection means disconnecting your NIC and then using regedit to delete this value:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr ent Version\Run\wintbp.exe

    You must then reboot the machine to disable the executable which is:

    C:\%systemroot%\System32\wintbp.exe.

    Good luck. I'm glad my own systems are Linux....
  • I just got XM in my car. I'm an internet dude. What struck me as I was driving home around 6pm EST was how CNN was covering it, admitted they got infected, and it seemed to remind me of SQL Slammer / Code Red.

    Anyway, they kept saying only windows 2000 was affected, but the patch was for pnp on 2000/xp/2003. In a later report CNN did mention it might affect XP too.

    This makes me wonder how seriously people (BHPs, IT guys, FireWall guys, etc) take worms. Where I work we have many FWs, push patches very of
  • AOL Call Centers (Score:2, Interesting)

    by Anonymous Coward
    I work in an AOL call center and we run Windows 2000. We are taking almost no calls and almost all of our computers are down.
  • I have to ask (Score:5, Insightful)

    by js3 ( 319268 ) on Tuesday August 16, 2005 @06:57PM (#13335098)
    why a company like CNN and ABC with billions of dollars in revenue is still running unpatched windows 2000 computers.
    • > why a company like CNN and ABC with billions of
      > dollars in revenue is still running unpatched
      > windows 2000 computers.

      To that, I have to ask: What reason is there to run Windows XP, when you have perfectly valid licensed copies of Windows 2000?

      I've not yet seen any valid need for running Windows XP, nor spending the money and time to "upgrade". What's the motivation to switch?

      Ryan Fenton
    • Because they might have travelling users who have been out of town last week and not received the update via the company's internal servers? (among about 100 valid reasons why a company as large as CNN might not have 100% patch compliance within a 6 day window)

      A better question to ask would be: Why do companies like CNN and ABC spend billions on Microsoft software when that use repeatedly results in global network-crushing superworms.
  • That would be bad.
    On the bright side, Linux and OSX operating system market shares would skyrocket.
  • by commo1 ( 709770 ) on Tuesday August 16, 2005 @07:00PM (#13335126)
    Microsoft is calling this threat "low-impact" or "moderate" is that they consider Windows 2000 to be a second-tier operating system at this point and that everyone (and I mean everyone and his dog or penguin) should be using XP. Good points made above for the "variant" aspect of this virus. I'm running XP on a customer's machine (that's my cop-out, anyway), and it's got botzor.exe in the registry.
    • Yeah, Microsoft thinks that everyone should be running Windows XP...

      Despite the fact that Microsoft has released a patch for Windows 2000 to plug the hole that the worms are exploiting.

      It's the companies fault for not having patched. Microsoft released them as critical updates, and that they needed to be installed.

      Also, Microsoft has Windows Server 2003, which is generally going to be a much better upgrade choice from 2000, than XP.

      (Opinions expressed are my own.)
  • by Nom du Keyboard ( 633989 ) on Tuesday August 16, 2005 @07:04PM (#13335142)
    So it has hit CNN, ABC, the New York Times. Obviously this worm is part of the Vast Right-Wing Conspiracy!
  • CNN is reporting that the worm hit at Capitol Hill. I wonder if Microsoft will get any sympathy from any Senator that has his/her computer distroyed by this.
  • by Gadgetfreak ( 97865 ) on Tuesday August 16, 2005 @07:10PM (#13335186)
    I'm wondering how much worse this has been made by the new policy of only allowing updates for legit copies of Windows. Can the millions with illegal copies get their fix, or will they just be sitting ducks for this and the next exploit to come along?

    • AFAIK, W2K isn't really checked, but a "pass-all" is done.
    • The new policy has zero effect. People with "unvalidated" copies of windows can still download security updates. They can't download new 'feature releases'; versions of IE, MediaPlayer, DirectX, etc.
    • In theory, Windows Update and automatic updates via Control Panel don't require validation, but Microsoft Update and manual downloads via the download center do. If things work as advertised, you can get security fixes without validating.

      Of course, don't forget the words in bold. I've had to validate my Windows XP box twice without changing any hardware. Fortunately my Linux boxes don't need any stinking validation to update via yum.
  • by cperciva ( 102828 ) on Tuesday August 16, 2005 @07:13PM (#13335197) Homepage
    We need to re-think we way we apply security patches. The patches for this problem were available several days ago; why weren't they applied?

    The answer is that Microsoft security patches have a reputation for causing things to break. Why this happens, I don't know -- Microsoft certainly has the resources necessary to test their patches before releasing them -- but for whatever reason, patches from Microsoft have developed that reputation. As a result, administrators of large networks have learned to not apply security patches immediately to all systems, but instead to test them on a few machines for some time first -- exactly the same way as other patches are handled.

    The decreasing window between patch publication and widely distributed exploit code means that this approach simply doesn't work any more. Security patches must be applied to all affected systems immediately. Don't stop to test them; just apply the patches and reboot if necessary.

    Of course, this means that vendors need to do a good job of testing security fixes before releasing them. I'm proud of the fact that in my time on the FreeBSD security team, we have never released a security patch which has caused new problems. While we don't officially recommend this, I know several people who have their systems automatically download and install FreeBSD security patches -- because they trust us to make sure that our security patches will never break anything.

    After all... if you can't trust the security team of the operating system you're running, why are you running that operating system?
  • When I try to read the informationweek article, my browser locks up and gives an SSL error (Error code: -12281). I'm running the latest FF and Slackware 10.

    Anybody else having any problems with the article

  • A worm shut down computers running Windows 2000 software across the United
    States.


        And that's IT. Ironically, I'm posting this from a Win2k machine. Sorry, all.
  • this is getting ridiculous.

    when are non-windows users going to get in on the fun?

    or is the fun actually in watching the knuckleheads fix their boxes, share their stories, re-infect each other, etc?
  • One thing that really should be pointed out again (it is around on the news also) is that this is an exploit for an already patched exploit. The exploit is in fact most likely constructed by disassembling the Microsoft patch to discover the flaw. I know that I am a bit of a Microsoft apologist on Slashdot, but that really is because the Microsoft bashing is often ill-founded.

    In this case Microsoft have really done everything any vendor can ever do in this kind of situation. They got the patch out there be

  • It's not totally bad... I mean at least it is trying to do the average joe some kind of favour:

    Kind of anyway:

    [http://securityresponse.symantec.com/avcenter/ven c/data/w32.zotob.d.html%5D [symantec.com]

    Searches for the following files and folders to delete the files and the contents of folders:

    %SYSTEM%\pnpsrv.exe
    %SYSTEM%\winpnp.exe
    %SYSTEM%\csm.exe
    %SYSTEM%\botzor.exe
    %PROGRAMFILES%\MyWebSearch
    %PROGRAMFILES%\MyWebSearch\*.exe
    %PROGRAMFILES%\Hotbar
    %PROGRAMFILES%\Hotbar\*.exe
    %PROGRAMFILES%\MyWay
    %PROGRAMFILES%\MyWay\*.exe
    %PROGRA
  • Is it just me... (Score:5, Interesting)

    by rootedgimp ( 523254 ) on Tuesday August 16, 2005 @07:25PM (#13335292)
    Or does it seem like this new worm proves that there is a digital advertising war going on? Bear with me a second...

    Previously (well, like early-mid 90s) when a site got hacked or a virus was running rampant, there was usually some sort of political message along with it, like a US Gov website getting hacked by a mexican / chinese hacker group that would deface the main index.html to say 'oh these people are doing some bad shit, now we're going to tell you what it is since they wont'
    Notice you don't see that anymore? Like, ever? The new world of commonly noticed 'hackers' seems to be a world of mostly spyware / virus infections targeted at data mining and reselling the information gathered to advertisers. Now, with that in mind, from Symantec's description of what the worm does, look at the following:

    9. Deletes the following registry values:
    "Windows PNP Server" "Windows PNP" "csm Win Updates" "MyWebSearch" "WINDOWS SYSTEM" "Zotob" "MyWay" "WeatherOnTray" "Apropos" "IBIS TB" "TBPS" "Toolbar" "Hotbar" "CMESys" "NavExcel" "ViewMgr" "eZula" "EbatesMoeMoneyMaker" "Ebates" "AutoUpdater" "Gator" "Trickler" "QuickTime" "GatorDownloader" "eZmmod" "Viewpoint" "TkBellExe" "180" "WinTools" "Real" "QuickTime Task" "sais" "msbb" "saie" "180ax" "lgbibsn" "tov"

    from the following subkeys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\RunO nce

    10. Searches for the following files and folders to delete the files and the contents of folders:
    * %SYSTEM%\pnpsrv.exe
    * %SYSTEM%\winpnp.exe
    * %SYSTEM%\csm.exe
    * %SYSTEM%\botzor.exe
    * %PROGRAMFILES%\MyWebSearch
    * %PROGRAMFILES%\MyWebSearch\*.exe
    * %PROGRAMFILES%\Hotbar
    * %PROGRAMFILES%\Hotbar\*.exe
    * %PROGRAMFILES%\MyWay
    * %PROGRAMFILES%\MyWay\*.exe
    * %PROGRAMFILES%\180Solutions
    * %PROGRAMFILES%\180Solutions\*.exe
    * %PROGRAMFILES%\Common Files\WinTools
    * %PROGRAMFILES%\Common Files\WinTools\*.exe
    * %PROGRAMFILES%\Toolbar
    * %PROGRAMFILES%\Toolbar\*.exe
    * %PROGRAMFILES%\CxtPls
    * %PROGRAMFILES%\NavExcel
    * %PROGRAMFILES%\AutoUpdate
    * %PROGRAMFILES%\AutoUpdate\AutoUpdate.exe
    * %PROGRAMFILES%\EbatesMoeMoneyMaker
    * %PROGRAMFILES%\eZula
    * %PROGRAMFILES%\eZula\mmod.exe
    * %PROGRAMFILES%\Common Files\GMT
    * %PROGRAMFILES%\Common Files\GMT\GMT.exe
    * %PROGRAMFILES%\CommonFiles\CMEII


    Ever heard of a virus removing spyware for you? What reasons can we think of for a worm to do this? The one that comes to my mind seems far fetched, but assume that the spyware being removed by this virus was engineered by competitors to whoever made this virus. So maybe now we will see turf battles over drone zombified boxen? What other reasons can the /. community present for this virus removing spyware?
    • My first thought was that this was another foolhardy attempt at a white-hat worm, where the intention is to help clean a victim's machine, maybe of a lot of malware...

      But having just spent an all-nighter in the office cleaning up the B variant, this new D doesn't do nearly enough to actually fix the damage.

      What really pisses me off about Windows, is that this worm somehow has enough permissions to delete other worms in %SYSTEM%, but I, as an Administrator, don't.

      Microsoft: please, for the love of god, imple
      • One undocumented trick that works to kill any process on an NT box is "drwtsn32 -p xxx" where xxx is the process number. Technically what you are doing is attaching the debugger (drwtsn32) and terminating the process that way. I found this by looking over the source for an old version of Dr. Watson.
  • SBC (Score:4, Interesting)

    by Widowwolf ( 779548 ) on Tuesday August 16, 2005 @07:36PM (#13335385) Homepage
    Well all i can tell you is SBC is down(thats right the phone company SBC)...company wide!(Cingular is not down at this moment)
  • Come on... let's be serious here. Has Trend Micro never heard of SQL Slammer? The worm that melted the internet in 15 minutes? Meanwhile, several DAYS after this worm was released, it's just barely starting to make the news, and that only because the news agencies themselves got hit.

    Or perhaps the story summary is just making up stuff. The links provided have no quote from TM saying such silliness.

  • by doormat ( 63648 ) on Tuesday August 16, 2005 @07:47PM (#13335481) Homepage Journal
    Zotob might be what most people need to clean up their spyware.....

    # Searches for the following files and folders to delete the files and the contents of folders:
      * %SYSTEM%\pnpsrv.exe
      * %SYSTEM%\winpnp.exe
      * %SYSTEM%\csm.exe
      * %SYSTEM%\botzor.exe
      * %PROGRAMFILES%\MyWebSearch
      * %PROGRAMFILES%\MyWebSearch\*.exe
      * %PROGRAMFILES%\Hotbar
      * %PROGRAMFILES%\Hotbar\*.exe
      * %PROGRAMFILES%\MyWay
      * %PROGRAMFILES%\MyWay\*.exe
      * %PROGRAMFILES%\180Solutions
      * %PROGRAMFILES%\180Solutions\*.exe
      * %PROGRAMFILES%\Common Files\WinTools
      * %PROGRAMFILES%\Common Files\WinTools\*.exe
      * %PROGRAMFILES%\Toolbar
      * %PROGRAMFILES%\Toolbar\*.exe
      * %PROGRAMFILES%\CxtPls
      * %PROGRAMFILES%\NavExcel
      * %PROGRAMFILES%\AutoUpdate
      * %PROGRAMFILES%\AutoUpdate\AutoUpdate.exe
      * %PROGRAMFILES%\EbatesMoeMoneyMaker
      * %PROGRAMFILES%\eZula
      * %PROGRAMFILES%\eZula\mmod.exe
      * %PROGRAMFILES%\Common Files\GMT
      * %PROGRAMFILES%\Common Files\GMT\GMT.exe
      * %PROGRAMFILES%\Common Files\CMEII
  • by Indy1 ( 99447 ) on Tuesday August 16, 2005 @08:11PM (#13335643)
    Major media corp IT depts badly behind in patching their systems, news at 11!

    Honestly Zotob is a joke. I work IT for a major university thats 95% win 2k and xp, and so far we've had 0 zotob infections. I wouldnt be surprised if we eventually got 1 or 2 here and there with old boxes that arent tied into the domain, but the vast majority of the workstations auto update themselves and hence this is a non issue for any properly run network.
  • by phorm ( 591458 ) on Tuesday August 16, 2005 @08:20PM (#13335697) Journal
    From symantec [symantec.com], it almost sounds like the worm is trying to decrudify your system. It attempts to kill the realplayer, quicktime, gator, and many spyware/malware/adware toolbars. It alsocleans them out of the registry, and deletes their files.

    Too bad it also opens an FTP, IRC connection, and many others, but I do wonder if it's a variant on code originally intended to clean rather than infest?

    I also quite like how MS directs you to complain to the Internet Fraud Complaint Center Web site [ifccfbi.gov], I'm sure they really appreciate all the extra phonecalls about infected operating systems...
  • by mexicangeek ( 799235 ) on Tuesday August 16, 2005 @08:24PM (#13335720)
    "CNN's network admins suck."
  • MS authored? (Score:4, Insightful)

    by saddino ( 183491 ) on Tuesday August 16, 2005 @08:31PM (#13335757)
    So, MS, who desperately wants the 50% or so of entrenched businesses still on 2000 to upgrade, claims this worm is "low impact" hmm?

    Clearly, MS is implying the solution is to upgrade to XP. From their site: If you are using any supported version of Windows other than Windows 2000, you are not at risk from Zotob and its variants.

    How convenient! Really, why do I think the first answer to Bill's brainstorming marketing session on "How do we get people to move off 2000?" was some smart-ass saying "Well, we could always write a virus or worm for it."

    After all, any notion of "irreperable harm" from security threats has vanished in the onslaught on the Windows hegemony. One little, "not so bad" worm wouldn't really hurt the Windows reputation any more than it already has been, and it sure would be a nice kick-in-the-pants for those businesses sitting on the 2000 fence.

    Just saying^H^H^H^H^H^Hpostulating.

  • Comment removed (Score:3, Insightful)

    by account_deleted ( 4530225 ) on Tuesday August 16, 2005 @09:12PM (#13335941)
    Comment removed based on user account deletion
  • FUD alert.... (Score:3, Interesting)

    by Khyber ( 864651 ) <techkitsune@gmail.com> on Tuesday August 16, 2005 @09:15PM (#13335959) Homepage Journal
    DISCLAIMER:This comment may be FUD...

    Seeing as Microsoft stopped supporting Windows 2000, wouldn't this seem like a nice co-incidental way of "encouraging" users to upgrade to Windows XP??

    Of course, one could always go to a pirated version of XP... Why pay for a simple security upgrade, after all?
  • Removes spyware? (Score:3, Interesting)

    by gargan ( 4764 ) * on Tuesday August 16, 2005 @09:18PM (#13335980) Homepage Journal
    Has anyone else noticed that according to the Symantec security response [symantec.com] page, this virus removes several common spyware files? kills process, removes registry entry, and deletes. I suppose it does this so that it will have the machine's internet connection mostly to itself, but I find that fascinating.
    • by mabu ( 178417 ) on Tuesday August 16, 2005 @10:11PM (#13336258)
      It makes perfect sense.

      All these worms are written by spammers who want to turn the machines into zombied SMTP servers. They want to disable other exploitive processes.

      If all major ISPs filtered port 25 traffic (like AOL does) from anyplace other than their in-house SMTP gateways, you'd see worm activity drop to almost nothing. It's all about spamming. And the feds don't seem to care. Sooner or later, the major broadband providers will act responsibly and stop their clients from becoming spam zombies, then there won't be much of a need for these worms to be released. That's what they're all about: spamming.
  • by interstellar_donkey ( 200782 ) <pathighgate&hotmail,com> on Wednesday August 17, 2005 @12:47AM (#13336866) Homepage Journal
    From Microsoft's info page:

    Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site.

    Ummm...

    "Hello, FBI? Yeah, hi. This is Pat. Listen, I've noticed my computer has been running a little slow lately. Yeah, more so then usual... Well, I heard about this new worm virus on the news... Yeah, I know I should run a virus scanner... Yes, I'm aware that the FBI does not troubleshoot and provide support for PCs... No, I don't expect you to launch a huge investigation because I suspect I *might* have been infected... Of course I'm aware that even if I was infected, there's really nothing the FBI can do about my particular case. . . . What do you mean 'Why am I calling you'?? Microsoft said I should!!"

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...