Slashdot Mirror
Zotob Worm Hits CNN and Goes Global
securitas writes "The Zotob MS05-039 worm mentioned on Slashdot last Sunday may be the most recent virus that has gone global, hitting Windows 2000 desktops at CNN, ABC, the New York Times, and many others. The virus is spreading around the world rapidly as compromised systems become bots and propagate the worm, with reported outbreaks in Germany and China. InformationWeek has a decent article titled Zotob Proves Patching "Window" Non-Existent. Microsoft calls it a "low impact" threat and tells you What you should know about Zotob. Symantec has W32.Zotob.D removal instructions. Trend Micro thinks that this is a new, different worm altogether and says it is one of the fastest-spreading infections in history."
Dunno if the slashdotting did it, But MS's site now says it's a Moderate Severity risk.
Or code Bert...
As a Linux user I feel left out of all the seemingly weekly worm fun... I mean, my chosen OS has some of the best hacker (both good and evil) minds behind it and tons of techie users... yet we have no fun worms. Sure, an unsecured and non-updated Linux server box will end up getting hacked into by the script kiddies here and there... but what about us desktop users?
Meh.
... how many computers Apple will sell because of this?
Now that media is directly affected, they will start proclaiming that this worm is the worst ever, and has caused billions of dollars in losses for businesses.
.pdf file!
Media worm hype really sucks, is my point.
What I found amusing today were the two alert emails in my inbox. The first one was a warning about the new Acrobat flaw [which makes it a requirment to install a bad version of Acrobat, and then patch it *3* times to fix it!]. Then next email was one about this Zotob worm spreading through the PnP ethernet bug in Windows 2000 - but the information came via a
Saskboy's blog is good. 9 out of 10 dentists agree.
I work in an AOL call center and we run Windows 2000. We are taking almost no calls and almost all of our computers are down.
Microsoft is calling this threat "low-impact" or "moderate" is that they consider Windows 2000 to be a second-tier operating system at this point and that everyone (and I mean everyone and his dog or penguin) should be using XP. Good points made above for the "variant" aspect of this virus. I'm running XP on a customer's machine (that's my cop-out, anyway), and it's got botzor.exe in the registry.
They also announced that a number of Chrysler plants were also dropped offline due to this thing.
The kicker was how the news anchors reacted, you know, when they get to spout their little un-educated opinions on the matter during that 45 second space between the end of the story and the next commercial. One guy said something like "Gosh with those computers if its not one thing its another" and the anchor woman next to him said something about how terrible it is to lose all your personal data and have to "reboot".
This is sooooooo classic. I wish I had been recording that. It shows how uneducated people are and how foolishly inclined even the media themselves are to believe just about anything thrown at them, like 'Microsft = Computers' and how these problems are completely unavoidable, like there is NO ALTERNATIVE to using MS products.
Im in the process of writing them a (much better spoken) letter about the tragedy brought about by convenience and ignorance. Any comments on some points I can bring up? Not to troll, well yeah, to troll, just thought Id ask. It cant hurt a thing to inform these people a little on the *real world* use of the operating system that drives us into the future.
I know that one day we will be looking at some serious security problems with OSS, especially when it hits prime time. But when that day comes its not going to be up to some big ass company with greedy motives to fix it, or to delay a fix so it can push out 'updated versions' of its software for sale instead. The fix is going to come from thousands of sources and this is a GOOD THING. We have the source code to fix the problem and staff on hand to implement a quick solution to a wide range of possible issues on the kernel level. We don't need to pray and wait for some extortionist coporation to be merciful enough to bend under the will of the most basic moral resourcefullness of its staff.
You are about to give someone a piece of your mind, something which you can ill afford...
"Ignore it, like millions of others."
Well, generally speaking it looks like that's not really a bad thing to do in this case. Check out the Symantec Security Response page (link in TFSummary), all it appears to do is remove spyware applications from the filesystem and their startup keys in the registry. Oh noes!!11!one!!
"gray-hat" worm?
I'm wondering how much worse this has been made by the new policy of only allowing updates for legit copies of Windows. Can the millions with illegal copies get their fix, or will they just be sitting ducks for this and the next exploit to come along?
"No fair, you changed the outcome by measuring it!" - Professor Hubert J. Farnsworth
It's not totally bad... I mean at least it is trying to do the average joe some kind of favour:
n c/data/w32.zotob.d.html%5D
Kind of anyway:
[http://securityresponse.symantec.com/avcenter/ve
Searches for the following files and folders to delete the files and the contents of folders:
%SYSTEM%\pnpsrv.exe
%SYSTEM%\winpnp.exe
%SYSTEM%\csm.exe
%SYSTEM%\botzor.exe
%PROGRAMFILES%\MyWebSearch
%PROGRAMFILES%\MyWebSearch\*.exe
%PROGRAMFILES%\Hotbar
%PROGRAMFILES%\Hotbar\*.exe
%PROGRAMFILES%\MyWay
%PROGRAMFILES%\MyWay\*.exe
%PROGRAMFILES%\180Solutions
%PROGRAMFILES%\180Solutions\*.exe
%PROGRAMFILES%\Common Files\WinTools
%PROGRAMFILES%\Common Files\WinTools\*.exe
%PROGRAMFILES%\Toolbar
%PROGRAMFILES%\Toolbar\*.exe
%PROGRAMFILES%\CxtPls
%PROGRAMFILES%\NavExcel
%PROGRAMFILES%\AutoUpdate
%PROGRAMFILES%\AutoUpdate\AutoUpdate.exe
%PROGRAMFILES%\EbatesMoeMoneyMaker
%PROGRAMFILES%\eZula
%PROGRAMFILES%\eZula\mmod.exe
%PROGRAMFILES%\Common Files\GMT
%PROGRAMFILES%\Common Files\GMT\GMT.exe
%PROGRAMFILES%\Common Files\CMEII
Previously (well, like early-mid 90s) when a site got hacked or a virus was running rampant, there was usually some sort of political message along with it, like a US Gov website getting hacked by a mexican / chinese hacker group that would deface the main index.html to say 'oh these people are doing some bad shit, now we're going to tell you what it is since they wont'
Notice you don't see that anymore? Like, ever? The new world of commonly noticed 'hackers' seems to be a world of mostly spyware / virus infections targeted at data mining and reselling the information gathered to advertisers. Now, with that in mind, from Symantec's description of what the worm does, look at the following:
Ever heard of a virus removing spyware for you? What reasons can we think of for a worm to do this? The one that comes to my mind seems far fetched, but assume that the spyware being removed by this virus was engineered by competitors to whoever made this virus. So maybe now we will see turf battles over drone zombified boxen? What other reasons can the
Well all i can tell you is SBC is down(thats right the phone company SBC)...company wide!(Cingular is not down at this moment)
~~"Of course, that's just my opinion. I could be wrong." ~~Dennis Miller
Zotob might be what most people need to clean up their spyware.....
# Searches for the following files and folders to delete the files and the contents of folders:
* %SYSTEM%\pnpsrv.exe
* %SYSTEM%\winpnp.exe
* %SYSTEM%\csm.exe
* %SYSTEM%\botzor.exe
* %PROGRAMFILES%\MyWebSearch
* %PROGRAMFILES%\MyWebSearch\*.exe
* %PROGRAMFILES%\Hotbar
* %PROGRAMFILES%\Hotbar\*.exe
* %PROGRAMFILES%\MyWay
* %PROGRAMFILES%\MyWay\*.exe
* %PROGRAMFILES%\180Solutions
* %PROGRAMFILES%\180Solutions\*.exe
* %PROGRAMFILES%\Common Files\WinTools
* %PROGRAMFILES%\Common Files\WinTools\*.exe
* %PROGRAMFILES%\Toolbar
* %PROGRAMFILES%\Toolbar\*.exe
* %PROGRAMFILES%\CxtPls
* %PROGRAMFILES%\NavExcel
* %PROGRAMFILES%\AutoUpdate
* %PROGRAMFILES%\AutoUpdate\AutoUpdate.exe
* %PROGRAMFILES%\EbatesMoeMoneyMaker
* %PROGRAMFILES%\eZula
* %PROGRAMFILES%\eZula\mmod.exe
* %PROGRAMFILES%\Common Files\GMT
* %PROGRAMFILES%\Common Files\GMT\GMT.exe
* %PROGRAMFILES%\Common Files\CMEII
The Doormat
If you're not outraged, then you're not paying attention.
From symantec, it almost sounds like the worm is trying to decrudify your system. It attempts to kill the realplayer, quicktime, gator, and many spyware/malware/adware toolbars. It alsocleans them out of the registry, and deletes their files.
Too bad it also opens an FTP, IRC connection, and many others, but I do wonder if it's a variant on code originally intended to clean rather than infest?
I also quite like how MS directs you to complain to the Internet Fraud Complaint Center Web site, I'm sure they really appreciate all the extra phonecalls about infected operating systems...
Well have you ever seen their idiot tech reported, Daniel Sieburg (or whatever).
If their tech department is anything like HIM they are lucky they can even get their computer turned on in the morning! No one in their tech reporting deparment has ever heard of a computer other than a PC running windows.
They are just idiots... plain corporation-worshiping idiots.
DISCLAIMER:This comment may be FUD...
Seeing as Microsoft stopped supporting Windows 2000, wouldn't this seem like a nice co-incidental way of "encouraging" users to upgrade to Windows XP??
Of course, one could always go to a pirated version of XP... Why pay for a simple security upgrade, after all?
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Has anyone else noticed that according to the Symantec security response page, this virus removes several common spyware files? kills process, removes registry entry, and deletes. I suppose it does this so that it will have the machine's internet connection mostly to itself, but I find that fascinating.
Emory: Uh..we're still..beta testing that.
Oglethorpe: What you're testing is me and my patience!
anyone notice it is deleting these files;c /data/w32.zotob.d.html
now if it just woulnt reboot the computer.
%PROGRAMFILES%\MyWebSearch
%PROGRAMFILES%\MyWebSearch\*.exe
%PROGRAMFILES%\Hotbar
%PROGRAMFILES%\Hotbar\*.exe
%PROGRAMFILES%\MyWay
%PROGRAMFILES%\MyWay\*.exe
%PROGRAMFILES%\180Solutions
%PROGRAMFILES%\180Solutions\*.exe
%PROGRAMFILES%\EbatesMoeMoneyMaker
as per http://securityresponse.symantec.com/avcenter/ven
Let's not get too cocky...
My first thought was that this was another foolhardy attempt at a white-hat worm, where the intention is to help clean a victim's machine, maybe of a lot of malware...
But having just spent an all-nighter in the office cleaning up the B variant, this new D doesn't do nearly enough to actually fix the damage.
What really pisses me off about Windows, is that this worm somehow has enough permissions to delete other worms in %SYSTEM%, but I, as an Administrator, don't.
Microsoft: please, for the love of god, implement KILL -9. Without a reboot. Thanks.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
From Microsoft's info page:
Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site.
More like: "Hello, FBI? Yeah, hi. This is Pat. Listen, I'd like to report some serious fraud. Microsoft sold me this operating system, and they said it was secure and stuff, but I just got totally pwned by another worm. When I asked them for my money back because their software didn't live up to their promises, they told me, 'Tough shit, the EULA says it's your problem and we get to keep your money. Neener, neener, neener!'"