PandaLabs reports attacks from two new worms, Zotob.D and IRCBot.KB, that exploit a vulnerability in the Windows Plug and Play (PnP) service. Microsoft recently published a Security Bulletin, MS05-039, covering this vulnerability. The vulnerability could allow a remote attacker take control of the affected system. Several news organizations, like CNN, ABC or The New York Times have been affected.
To exploit the vulnerability mentioned above, both worms generate random IP addresses to which they try to connect through port 445, searching for vulnerable computers. When a computer is found, they will send instructions to download a copy of the worm by TFTP (a simplified version of the traditional FTP protocol). They both get installed on the systems, modifying a registry key to ensure its execution on every system startup, and initialize a backdoor component which is available through IRC, awaiting orders in a specified channel, which could allow a remote attacker take control of the system. It only spreads to systems having operating systems Windows 2000, XP and Windows Server 2003.
In addition, Zotob.D, searches for the most popular adware programs to delete their files and directories. The visible effects which these worms caused in the affected machines are the repeatedly shutting down and rebooting, so that it could be very dangerous in corporate environments.
Panda Software recommends users to download the patch offered by Microsoft which appeared just some days ago. The web page to download this patch is available at: http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx,
To help as many users as possible scan and disinfect their systems, Panda Software offers its free, online anti-malware solution, Panda ActiveScan, which now also detects spyware, at http://www.activescan.com/. Webmasters who would like to include ActiveScan on their websites can get the HTML code, free from http://www.pandasoftware.com/partners/webmasters
Panda Software also offers users Virus Alerts, an e-bulletin in English and Spanish that gives immediate warning of the emergence of potentially dangerous malicious code. To receive Virus Alerts just visit Panda Software’s website (http://www.pandasoftware.com/about/subscriptions/) and complete the corresponding form.
For further information about these and other computer threats, visit Panda Software’s Encyclopedia.