Zotob Worm Hits CNN and Goes Global

securitas writes "The Zotob MS05-039 worm mentioned on Slashdot last Sunday may be the most recent virus that has gone global, hitting Windows 2000 desktops at CNN, ABC, the New York Times, and many others. The virus is spreading around the world rapidly as compromised systems become bots and propagate the worm, with reported outbreaks in Germany and China. InformationWeek has a decent article titled Zotob Proves Patching "Window" Non-Existent. Microsoft calls it a "low impact" threat and tells you What you should know about Zotob. Symantec has W32.Zotob.D removal instructions. Trend Micro thinks that this is a new, different worm altogether and says it is one of the fastest-spreading infections in history."

Is your computer infected?

[ackthpt]

• If computer is Apple, No
• If OS is Linux, No
• If OS is Windows variant, Could be
• If OS is Windows 2000, Could be
• If Search finds Botzor.exe in your filesystem, Definitely
  • What do I do?
  • Ignore it, like millions of others.

Re:Is your computer infected?

If OS is Windows variant, Could be

According to TFA's apparently not.

This just in: Windows 2000 is a variant of Windows. Pictures at 11.

Re:Is your computer infected?

You seem to have left a few out.

If OS is Windows 95, No
If OS is Windows 98, No
If OS is Windows ME, No
If OS is Windows XP, No
If OS is up to date with security patches, no

Or just to make it easier
If ((OS != Windows 2000)&&(System.HasAllTheSecurityUpdates != True))
Then Could be.

SANS/ISC's take on the CNN infection

[Kelson]

The Internet Storm Center's take on this is also interesting. As far as they can tell, the infection at the three news outlets is more-or-less isolated:

Speculating: The fact that CNN, ABC and the NYTimes got it may be as simple as reporters from these organizations visiting the same event and connecting to an infected network. While a firewall may have protected their office network up to now, these infected laptops where able to take out the network from the inside once they connected back to it.

MS says..

[Turn-X+Alphonse]

It doesn't effect Windows XP, so Microsoft will just go "You should of updated". Which will lead to more sales of XP by the masses beliving they need the latest OS to "be safe".

Re:MS says..

[DrEldarion]

so Microsoft will just go "You should of updated". ... and then the grammar nazis will descend upon them like hawks.

Re:MS says..

[(startx)]

I don't run vulnerable version of the Linux kernel, but then again I don't have to pay to upgrade either.

Re:MS says..

[cnettel]

It requires authentication, though. So, if you are not wide-open for file sharing through SMB or something, you will need to be infected by a machine that already has login credentials for some machine. So, it's remote privilege elevation on XP, but not form an anonymous user, making the threat much lower. Until that trsuted, unpatched 2000 machine enters the LAN.

Re:MS says..

[GeoffP]

"grammar nazis"

Heil Webster!

All of a sudden

[inode_buddha]

All of a sudden, a worm makes mainstream news because it invaded CNN's network. I guess that is a sad indicator of what it takes to raise awareness.

Re:All of a sudden

[qyiet]

It could have done us all a favor, and infected Fox's network.

Re:All of a sudden

[fdiskne1]

I was in the process of testing the latest patches and was planning on expanding them out to the rest of the couple of thousand machines later in this week. I heard about the exploits available online when I woke up Sunday morning. I worked on Sunday making sure the couple of thousand machines we have were patched. By the time I was done, two viruses taking advantage of the vulnerability were in the wild so I got the signatures updated in case any machines were missed by the auto update I started. Today as I was about to leave, someone up the chain of command (not in a direct line of management with IT, thankfully) with no IT knowledge called, nearly in a panic. "My mother just called and CNN is calling this one of the worst viruses ever." I figured, "Yeah, she read a virus hoax email." She conference me in with her mother so I could hear what CNN was saying. I have never heard so much hype over such a minor virus before. From what I heard, it sounded like they were way over the top. I calmly explained to them the process I went through and when. CNN is reporting it two days later. I know this is a new version, but jeeze. Haven't these companies learned from previous virus events? I'm glad I stopped watching major media news.

A sober second opinion...

[Saint+Aardvark]

... from the ever-excellent Inhttp://isc.sans.orgternetstorm/ Center:

Likely this is an isolated event, which became newsworthy because CNN got infected. We do not see any new threats at this point. Zotob keeps mutating and finding new victims. As seen with prior TCP worms, it is reaching its peak around 3 days after the outbreak.

As reported by Slashdot t'other day, they raised their threat level from Green to Yellow. They explain why they moved back to Green:

We moved to 'Yellow' on Friday, after we did see a number of exploits released for last weeks Microsoft Windows vulnerabilities, in particular MS05-039 (PnP) which is exploitable remotely.

As expected, we did see various bots, in particular 'Zotob' take advantage of this vulnerability. At this point, the situation is however static. New bot variations keep getting developed, but they do not add any fundamental new variation of the exploit. We expect that most exploitable systems have been compromised at this point.

[....] Yes, the Internet is still "broken", but it was never working all that well to begin with. The Infocon is intended to measure change. We can't stay on yellow for ever.

Instant karma's gonna get you

[Kafka_Canada]

hitting Windows 2000 desktops at CNN, ABC, the New York Times, and many others.

Hm, must be a Karl Rove plant.

Or else it's just another victory in the GWOT?

Of course this is more important than...

[craznar]

160 dead in Venezuela Crash, Gaza Pull out and Paul Abdul's Idol issues.

I doubt it - yet it's front page on CNN.COM...

I wonder...

[pointguy]

... how many computers Apple will sell because of this?

Re:I wonder...

[TykeClone]

About 1000...

Those wild and crazy mac rioters

Payload

[Teclis]

"Gives a remote attacker full control over the compromised computer to perform various actions, including:

Downloading and executing files
Making queries to www.google.com ..."

Making queries to google? Sounds like a very round-about way to search google. What is the purpose of this?

Re:Payload

[Dr.+Zowie]

Jeez, the lengths some people will go to, to avoid the google cookie...

Symantec link is wrong

[Penguinshit]

The executable in this particular instance is "wintbp.exe". I thought at first it might be a randomly-named executable, but all 100+ systems I'm manually disinfecting at the moment have the same executable. It tries to connect to other systems via port 445, aka the "Magic Windoze Port"(tm).

Apparently all it's doing is rebooting systems, but I haven't done any kind of a postmortem so don't know. I haven't detected any other connection attempts either inside or outside.

Manual disinfection means disconnecting your NIC and then using regedit to delete this value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr ent Version\Run\wintbp.exe

You must then reboot the machine to disable the executable which is:

C:\%systemroot%\System32\wintbp.exe.

Good luck. I'm glad my own systems are Linux....

Re:Symantec link is wrong

[nvrrobx]

Check out http://securityresponse.symantec.com/avcenter/venc /data/w32.zotob.d.html to see exactly what this is attempting to do.

I have to ask

[js3]

why a company like CNN and ABC with billions of dollars in revenue is still running unpatched windows 2000 computers.

Re:AOL Call Centers

[Anonymous+Crowhead]

I work in an AOL call center and we run Windows 2000. We are taking almost no calls and almost all of our computers are down.

I'm glad you found one of the few that is working so you could post to Slashdot.

CNN, ABC, the New York Times

[Nom+du+Keyboard]

So it has hit CNN, ABC, the New York Times. Obviously this worm is part of the Vast Right-Wing Conspiracy!

Is it just me...

[rootedgimp]

Or does it seem like this new worm proves that there is a digital advertising war going on? Bear with me a second...

Previously (well, like early-mid 90s) when a site got hacked or a virus was running rampant, there was usually some sort of political message along with it, like a US Gov website getting hacked by a mexican / chinese hacker group that would deface the main index.html to say 'oh these people are doing some bad shit, now we're going to tell you what it is since they wont'
Notice you don't see that anymore? Like, ever? The new world of commonly noticed 'hackers' seems to be a world of mostly spyware / virus infections targeted at data mining and reselling the information gathered to advertisers. Now, with that in mind, from Symantec's description of what the worm does, look at the following:

9. Deletes the following registry values:
"Windows PNP Server" "Windows PNP" "csm Win Updates" "MyWebSearch" "WINDOWS SYSTEM" "Zotob" "MyWay" "WeatherOnTray" "Apropos" "IBIS TB" "TBPS" "Toolbar" "Hotbar" "CMESys" "NavExcel" "ViewMgr" "eZula" "EbatesMoeMoneyMaker" "Ebates" "AutoUpdater" "Gator" "Trickler" "QuickTime" "GatorDownloader" "eZmmod" "Viewpoint" "TkBellExe" "180" "WinTools" "Real" "QuickTime Task" "sais" "msbb" "saie" "180ax" "lgbibsn" "tov"

from the following subkeys: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\RunO nce

10. Searches for the following files and folders to delete the files and the contents of folders:
* %SYSTEM%\pnpsrv.exe
* %SYSTEM%\winpnp.exe
* %SYSTEM%\csm.exe
* %SYSTEM%\botzor.exe
* %PROGRAMFILES%\MyWebSearch
* %PROGRAMFILES%\MyWebSearch\*.exe
* %PROGRAMFILES%\Hotbar
* %PROGRAMFILES%\Hotbar\*.exe
* %PROGRAMFILES%\MyWay
* %PROGRAMFILES%\MyWay\*.exe
* %PROGRAMFILES%\180Solutions
* %PROGRAMFILES%\180Solutions\*.exe
* %PROGRAMFILES%\Common Files\WinTools
* %PROGRAMFILES%\Common Files\WinTools\*.exe
* %PROGRAMFILES%\Toolbar
* %PROGRAMFILES%\Toolbar\*.exe
* %PROGRAMFILES%\CxtPls
* %PROGRAMFILES%\NavExcel
* %PROGRAMFILES%\AutoUpdate
* %PROGRAMFILES%\AutoUpdate\AutoUpdate.exe
* %PROGRAMFILES%\EbatesMoeMoneyMaker
* %PROGRAMFILES%\eZula
* %PROGRAMFILES%\eZula\mmod.exe
* %PROGRAMFILES%\Common Files\GMT
* %PROGRAMFILES%\Common Files\GMT\GMT.exe
* %PROGRAMFILES%\CommonFiles\CMEII

Ever heard of a virus removing spyware for you? What reasons can we think of for a worm to do this? The one that comes to my mind seems far fetched, but assume that the spyware being removed by this virus was engineered by competitors to whoever made this virus. So maybe now we will see turf battles over drone zombified boxen? What other reasons can the /. community present for this virus removing spyware?

SBC

[Widowwolf]

Well all i can tell you is SBC is down(thats right the phone company SBC)...company wide!(Cingular is not down at this moment)

Fastest spreading ever? Probably not.

[Gary+W.+Longsine]

There are other possible infection vectors, but that one is most likely. Corporations would never expose Windows systems directly on the internet, but they buy laptops by the truckload, allow users to take them anywhere, then bring them back into the office and hook them up as though they were not any different than your nice safely-protected behind the firewall chained to the desktop system -- as though they hadn't been handed over to organized crime for a few days, for example. It's really not rational, but it's almost universal practice.

ABC News on the worm
"CNN, breaking into regular programming, reported on air that personal computers running Windows 2000 at the cable news network were affected by a worm that caused them to restart repeatedly."

We have seen this at a government client this week. It appears that the worm authors didn't test on Windows 2000 SP3. Several variants cause the target system to reboot when they attempt to exploit the MS05-039 defect on systems older than Windows 2000 SP4, apparently without infecting the target. The issue could be more subtle than that, perhaps systems running a particular hotfix or something like that, but I haven't had a chance to dig deeper on this point.

People tend to panic when all the PCs around them are crashing every few minutes instead of every few hours or days like normal (depending on patch level and usage pattern). The first assumption they tend to make is that the crashing computers were infected, but in this case that doesn't seem to be happening. A different worm on a different day, of course, might very well crash them after a successful infection, rather than before, so best not to get too cozy because of a small bit of luck.

It hasn't received much publicity, but if you're a network administrator battling this problem, you may have trouble patching your systems because they crash too quickly. You might want to disable NULL sessions on the Windows 2000 systems which haven't been patched yet. It appears that this will prevent an infection of an unpatched Windows 2000 system, allowing you more time to patch. (Patches being larger and the systems not staying up long enough to distribute a large package and whatnot.) I haven't yet been able to determine if the UPnP vulnerability could be exploited with NULL sessions disabled, but apparently the current crop of worms and bots all rely on it.

Notebooks and viruses at my work

[acomj]

Where I work, we have classes. And the instructor takes his notebook out and hooks into the network, pulls his powerpoint. During the class a window pops up... Oh, he says, its just a virus, it pops up from time to time, and procedes to reboot and keep going.

After class the computer goes back in the bag for a month, as he has a desktop in his office. The virus hibernates....

Our IT folks must love this..

HAH! Looks like it cleans out spyware!

[doormat]

Zotob might be what most people need to clean up their spyware.....

# Searches for the following files and folders to delete the files and the contents of folders:
  * %SYSTEM%\pnpsrv.exe
  * %SYSTEM%\winpnp.exe
  * %SYSTEM%\csm.exe
  * %SYSTEM%\botzor.exe
  * %PROGRAMFILES%\MyWebSearch
  * %PROGRAMFILES%\MyWebSearch\*.exe
  * %PROGRAMFILES%\Hotbar
  * %PROGRAMFILES%\Hotbar\*.exe
  * %PROGRAMFILES%\MyWay
  * %PROGRAMFILES%\MyWay\*.exe
  * %PROGRAMFILES%\180Solutions
  * %PROGRAMFILES%\180Solutions\*.exe
  * %PROGRAMFILES%\Common Files\WinTools
  * %PROGRAMFILES%\Common Files\WinTools\*.exe
  * %PROGRAMFILES%\Toolbar
  * %PROGRAMFILES%\Toolbar\*.exe
  * %PROGRAMFILES%\CxtPls
  * %PROGRAMFILES%\NavExcel
  * %PROGRAMFILES%\AutoUpdate
  * %PROGRAMFILES%\AutoUpdate\AutoUpdate.exe
  * %PROGRAMFILES%\EbatesMoeMoneyMaker
  * %PROGRAMFILES%\eZula
  * %PROGRAMFILES%\eZula\mmod.exe
  * %PROGRAMFILES%\Common Files\GMT
  * %PROGRAMFILES%\Common Files\GMT\GMT.exe
  * %PROGRAMFILES%\Common Files\CMEII

the real news story is

[Indy1]

Major media corp IT depts badly behind in patching their systems, news at 11!

Honestly Zotob is a joke. I work IT for a major university thats 95% win 2k and xp, and so far we've had 0 zotob infections. I wouldnt be surprised if we eventually got 1 or 2 here and there with old boxes that arent tied into the domain, but the vast majority of the workstations auto update themselves and hence this is a non issue for any properly run network.

LATE BREAKING NEWS on CNN Right Now

[mexicangeek]

"CNN's network admins suck."

Re:Removes spyware?

[mabu]

It makes perfect sense.

All these worms are written by spammers who want to turn the machines into zombied SMTP servers. They want to disable other exploitive processes.

If all major ISPs filtered port 25 traffic (like AOL does) from anyplace other than their in-house SMTP gateways, you'd see worm activity drop to almost nothing. It's all about spamming. And the feds don't seem to care. Sooner or later, the major broadband providers will act responsibly and stop their clients from becoming spam zombies, then there won't be much of a need for these worms to be released. That's what they're all about: spamming.

Really good advice

[interstellar_donkey]

From Microsoft's info page:

Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site.

Ummm...

"Hello, FBI? Yeah, hi. This is Pat. Listen, I've noticed my computer has been running a little slow lately. Yeah, more so then usual... Well, I heard about this new worm virus on the news... Yeah, I know I should run a virus scanner... Yes, I'm aware that the FBI does not troubleshoot and provide support for PCs... No, I don't expect you to launch a huge investigation because I suspect I *might* have been infected... Of course I'm aware that even if I was infected, there's really nothing the FBI can do about my particular case. . . . What do you mean 'Why am I calling you'?? Microsoft said I should!!"