Slashdot Mirror

← Back to Stories (view on slashdot.org)

MS05-039 Worm in the Wild

Posted by CmdrTaco on Sunday August 14, 2005 @03:16AM from the brace-for-impact dept.

An anonymous reader noted that SANS is reporting that the MS05-039 worm is in the wild. It has been named Zotob.A. Not a lot of information on this one yet except that it's trying to FTP files from a subnet.

3 of 252 comments (clear)

Min score:

Reason:

Sort:

ClamAV by slavemowgli · 2005-08-14 03:18 · Score: 5, Informative

And it's detected by ClamAV already, too.

--
quidquid latine dictum sit altum videtur.
crappy summary by smoondog · 2005-08-14 03:19 · Score: 5, Informative

What a crappy summary, it doesn't even mention what operating system this effects (or how to patch for that matter). "Important facts" from the article:

- Patch MS05-039 will protect you
- Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.
- Blocking port 445 will protect you (but watch for internal infected systems)
- The FTP server does not run on port 21. It appears to pick a random high port.
Re:Vulnerability by louarnkoz · 2005-08-14 03:48 · Score: 5, Informative

The "valid logon" comment is misleading. On XP/SP2 and Windows 2003, the remote function can only be exploited by a logon with administrative privilege, the equivalent of root access. SP2 does not correct all bugs in Windows XP, but it includes a lot a system hardening. The guiding idea was "defense in depth", i.e. don't assume that the software is perfect, add multiple layers of protection. One of these defenses was requiring authentication for all RPC access. This "defense in depth" seems to be working, at least in this case.