Zotob Worm Hits CNN and Goes Global

← Back to Stories (view on slashdot.org)

Zotob Worm Hits CNN and Goes Global

Posted by ScuttleMonkey on Tuesday August 16, 2005 @11:43AM from the hack-the-planet dept.

securitas writes "The Zotob MS05-039 worm mentioned on Slashdot last Sunday may be the most recent virus that has gone global, hitting Windows 2000 desktops at CNN, ABC, the New York Times, and many others. The virus is spreading around the world rapidly as compromised systems become bots and propagate the worm, with reported outbreaks in Germany and China. InformationWeek has a decent article titled Zotob Proves Patching "Window" Non-Existent. Microsoft calls it a "low impact" threat and tells you What you should know about Zotob. Symantec has W32.Zotob.D removal instructions. Trend Micro thinks that this is a new, different worm altogether and says it is one of the fastest-spreading infections in history."

18 of 522 comments (clear)

Min score:

Reason:

Sort:

*Moderate* severity by the_skywise · 2005-08-16 11:46 · Score: 2, Interesting

Dunno if the slashdotting did it, But MS's site now says it's a Moderate Severity risk.

Or code Bert...
I wonder... by pointguy · 2005-08-16 11:48 · Score: 5, Interesting

... how many computers Apple will sell because of this?
Cue wild speculation by saskboy · 2005-08-16 11:49 · Score: 2, Interesting

Now that media is directly affected, they will start proclaiming that this worm is the worst ever, and has caused billions of dollars in losses for businesses.

Media worm hype really sucks, is my point.

What I found amusing today were the two alert emails in my inbox. The first one was a warning about the new Acrobat flaw [which makes it a requirment to install a bad version of Acrobat, and then patch it *3* times to fix it!]. Then next email was one about this Zotob worm spreading through the PnP ethernet bug in Windows 2000 - but the information came via a .pdf file!

--
Saskboy's blog is good. 9 out of 10 dentists agree.
AOL Call Centers by Anonymous Coward · 2005-08-16 11:56 · Score: 2, Interesting

I work in an AOL call center and we run Windows 2000. We are taking almost no calls and almost all of our computers are down.
I think the reason..... by commo1 · 2005-08-16 12:00 · Score: 3, Interesting

Microsoft is calling this threat "low-impact" or "moderate" is that they consider Windows 2000 to be a second-tier operating system at this point and that everyone (and I mean everyone and his dog or penguin) should be using XP. Good points made above for the "variant" aspect of this virus. I'm running XP on a customer's machine (that's my cop-out, anyway), and it's got botzor.exe in the registry.
Re:Is your computer infected? by Haydn+Fenton · 2005-08-16 12:09 · Score: 3, Interesting

"Ignore it, like millions of others."

Well, generally speaking it looks like that's not really a bad thing to do in this case. Check out the Symantec Security Response page (link in TFSummary), all it appears to do is remove spyware applications from the filesystem and their startup keys in the registry. Oh noes!!11!one!!
"gray-hat" worm?
MS Windows Update Validation? by Gadgetfreak · 2005-08-16 12:10 · Score: 2, Interesting

I'm wondering how much worse this has been made by the new policy of only allowing updates for legit copies of Windows. Can the millions with illegal copies get their fix, or will they just be sitting ducks for this and the next exploit to come along?

--
"No fair, you changed the outcome by measuring it!" - Professor Hubert J. Farnsworth
It's not really that bad.. by Scaz7 · 2005-08-16 12:23 · Score: 2, Interesting

It's not totally bad... I mean at least it is trying to do the average joe some kind of favour:

Kind of anyway:

[http://securityresponse.symantec.com/avcenter/ven c/data/w32.zotob.d.html%5D

Searches for the following files and folders to delete the files and the contents of folders:

%SYSTEM%\pnpsrv.exe
%SYSTEM%\winpnp.exe
%SYSTEM%\csm.exe
%SYSTEM%\botzor.exe
%PROGRAMFILES%\MyWebSearch
%PROGRAMFILES%\MyWebSearch\*.exe
%PROGRAMFILES%\Hotbar
%PROGRAMFILES%\Hotbar\*.exe
%PROGRAMFILES%\MyWay
%PROGRAMFILES%\MyWay\*.exe
%PROGRAMFILES%\180Solutions
%PROGRAMFILES%\180Solutions\*.exe
%PROGRAMFILES%\Common Files\WinTools
%PROGRAMFILES%\Common Files\WinTools\*.exe
%PROGRAMFILES%\Toolbar
%PROGRAMFILES%\Toolbar\*.exe
%PROGRAMFILES%\CxtPls
%PROGRAMFILES%\NavExcel
%PROGRAMFILES%\AutoUpdate
%PROGRAMFILES%\AutoUpdate\AutoUpdate.exe
%PROGRAMFILES%\EbatesMoeMoneyMaker
%PROGRAMFILES%\eZula
%PROGRAMFILES%\eZula\mmod.exe
%PROGRAMFILES%\Common Files\GMT
%PROGRAMFILES%\Common Files\GMT\GMT.exe
%PROGRAMFILES%\Common Files\CMEII
Is it just me... by rootedgimp · 2005-08-16 12:25 · Score: 5, Interesting

Or does it seem like this new worm proves that there is a digital advertising war going on? Bear with me a second...

Previously (well, like early-mid 90s) when a site got hacked or a virus was running rampant, there was usually some sort of political message along with it, like a US Gov website getting hacked by a mexican / chinese hacker group that would deface the main index.html to say 'oh these people are doing some bad shit, now we're going to tell you what it is since they wont'
Notice you don't see that anymore? Like, ever? The new world of commonly noticed 'hackers' seems to be a world of mostly spyware / virus infections targeted at data mining and reselling the information gathered to advertisers. Now, with that in mind, from Symantec's description of what the worm does, look at the following:

9. Deletes the following registry values:
"Windows PNP Server" "Windows PNP" "csm Win Updates" "MyWebSearch" "WINDOWS SYSTEM" "Zotob" "MyWay" "WeatherOnTray" "Apropos" "IBIS TB" "TBPS" "Toolbar" "Hotbar" "CMESys" "NavExcel" "ViewMgr" "eZula" "EbatesMoeMoneyMaker" "Ebates" "AutoUpdater" "Gator" "Trickler" "QuickTime" "GatorDownloader" "eZmmod" "Viewpoint" "TkBellExe" "180" "WinTools" "Real" "QuickTime Task" "sais" "msbb" "saie" "180ax" "lgbibsn" "tov"

from the following subkeys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\RunO nce

10. Searches for the following files and folders to delete the files and the contents of folders:
* %SYSTEM%\pnpsrv.exe
* %SYSTEM%\winpnp.exe
* %SYSTEM%\csm.exe
* %SYSTEM%\botzor.exe
* %PROGRAMFILES%\MyWebSearch
* %PROGRAMFILES%\MyWebSearch\*.exe
* %PROGRAMFILES%\Hotbar
* %PROGRAMFILES%\Hotbar\*.exe
* %PROGRAMFILES%\MyWay
* %PROGRAMFILES%\MyWay\*.exe
* %PROGRAMFILES%\180Solutions
* %PROGRAMFILES%\180Solutions\*.exe
* %PROGRAMFILES%\Common Files\WinTools
* %PROGRAMFILES%\Common Files\WinTools\*.exe
* %PROGRAMFILES%\Toolbar
* %PROGRAMFILES%\Toolbar\*.exe
* %PROGRAMFILES%\CxtPls
* %PROGRAMFILES%\NavExcel
* %PROGRAMFILES%\AutoUpdate
* %PROGRAMFILES%\AutoUpdate\AutoUpdate.exe
* %PROGRAMFILES%\EbatesMoeMoneyMaker
* %PROGRAMFILES%\eZula
* %PROGRAMFILES%\eZula\mmod.exe
* %PROGRAMFILES%\Common Files\GMT
* %PROGRAMFILES%\Common Files\GMT\GMT.exe
* %PROGRAMFILES%\CommonFiles\CMEII

Ever heard of a virus removing spyware for you? What reasons can we think of for a worm to do this? The one that comes to my mind seems far fetched, but assume that the spyware being removed by this virus was engineered by competitors to whoever made this virus. So maybe now we will see turf battles over drone zombified boxen? What other reasons can the /. community present for this virus removing spyware?
SBC by Widowwolf · 2005-08-16 12:36 · Score: 4, Interesting

Well all i can tell you is SBC is down(thats right the phone company SBC)...company wide!(Cingular is not down at this moment)

--
~~"Of course, that's just my opinion. I could be wrong." ~~Dennis Miller
HAH! Looks like it cleans out spyware! by doormat · 2005-08-16 12:47 · Score: 4, Interesting

Zotob might be what most people need to clean up their spyware.....

# Searches for the following files and folders to delete the files and the contents of folders:
* %SYSTEM%\pnpsrv.exe
* %SYSTEM%\winpnp.exe
* %SYSTEM%\csm.exe
* %SYSTEM%\botzor.exe
* %PROGRAMFILES%\MyWebSearch
* %PROGRAMFILES%\MyWebSearch\*.exe
* %PROGRAMFILES%\Hotbar
* %PROGRAMFILES%\Hotbar\*.exe
* %PROGRAMFILES%\MyWay
* %PROGRAMFILES%\MyWay\*.exe
* %PROGRAMFILES%\180Solutions
* %PROGRAMFILES%\180Solutions\*.exe
* %PROGRAMFILES%\Common Files\WinTools
* %PROGRAMFILES%\Common Files\WinTools\*.exe
* %PROGRAMFILES%\Toolbar
* %PROGRAMFILES%\Toolbar\*.exe
* %PROGRAMFILES%\CxtPls
* %PROGRAMFILES%\NavExcel
* %PROGRAMFILES%\AutoUpdate
* %PROGRAMFILES%\AutoUpdate\AutoUpdate.exe
* %PROGRAMFILES%\EbatesMoeMoneyMaker
* %PROGRAMFILES%\eZula
* %PROGRAMFILES%\eZula\mmod.exe
* %PROGRAMFILES%\Common Files\GMT
* %PROGRAMFILES%\Common Files\GMT\GMT.exe
* %PROGRAMFILES%\Common Files\CMEII

--
The Doormat

If you're not outraged, then you're not paying attention.
Anti-annoyanceware virus? by phorm · 2005-08-16 13:20 · Score: 2, Interesting

From symantec, it almost sounds like the worm is trying to decrudify your system. It attempts to kill the realplayer, quicktime, gator, and many spyware/malware/adware toolbars. It alsocleans them out of the registry, and deletes their files.

Too bad it also opens an FTP, IRC connection, and many others, but I do wonder if it's a variant on code originally intended to clean rather than infest?

I also quite like how MS directs you to complain to the Internet Fraud Complaint Center Web site, I'm sure they really appreciate all the extra phonecalls about infected operating systems...
FUD alert.... by Khyber · 2005-08-16 14:15 · Score: 2, Interesting

DISCLAIMER:This comment may be FUD...

Seeing as Microsoft stopped supporting Windows 2000, wouldn't this seem like a nice co-incidental way of "encouraging" users to upgrade to Windows XP??

Of course, one could always go to a pirated version of XP... Why pay for a simple security upgrade, after all?

--
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Removes spyware? by gargan · 2005-08-16 14:18 · Score: 3, Interesting

Has anyone else noticed that according to the Symantec security response page, this virus removes several common spyware files? kills process, removes registry entry, and deletes. I suppose it does this so that it will have the machine's internet connection mostly to itself, but I find that fascinating.

--
Emory: Uh..we're still..beta testing that.
Oglethorpe: What you're testing is me and my patience!
The Worm is doing a bit of good by tmonkey · 2005-08-16 14:22 · Score: 2, Interesting

anyone notice it is deleting these files;
%PROGRAMFILES%\MyWebSearch
%PROGRAMFILES%\MyWebSearch\*.exe
%PROGRAMFILES%\Hotbar
%PROGRAMFILES%\Hotbar\*.exe
%PROGRAMFILES%\MyWay
%PROGRAMFILES%\MyWay\*.exe
%PROGRAMFILES%\180Solutions
%PROGRAMFILES%\180Solutions\*.exe
%PROGRAMFILES%\EbatesMoeMoneyMaker
as per http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.d.html now if it just woulnt reboot the computer.
Re:Is your computer infected? by brianimator · 2005-08-16 14:42 · Score: 2, Interesting

Let's not get too cocky...
It ain't a white-hat worm, I'm pretty sure by freeweed · 2005-08-16 16:54 · Score: 2, Interesting

My first thought was that this was another foolhardy attempt at a white-hat worm, where the intention is to help clean a victim's machine, maybe of a lot of malware...

But having just spent an all-nighter in the office cleaning up the B variant, this new D doesn't do nearly enough to actually fix the damage.

What really pisses me off about Windows, is that this worm somehow has enough permissions to delete other worms in %SYSTEM%, but I, as an Administrator, don't.

Microsoft: please, for the love of god, implement KILL -9. Without a reboot. Thanks.

--
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
1. Re:It ain't a white-hat worm, I'm pretty sure by davegust · 2005-08-16 17:46 · Score: 2, Interesting
  
  One undocumented trick that works to kill any process on an NT box is "drwtsn32 -p xxx" where xxx is the process number. Technically what you are doing is attaching the debugger (drwtsn32) and terminating the process that way. I found this by looking over the source for an old version of Dr. Watson.