Windows 2000 Worm Wreaks Havoc

by Alex Woodie

Companies running Windows 2000 computers are being urged to patch their computers as soon as possible to prevent the "Zotob" worm from infecting their computers. Another worm, likely a variant of the Zotob worm, wreaked havoc on the computers of several news organizations just days after Microsoft issued a patch for it.

CNN reported that its Windows 2000 computers, as well as the Windows 2000 systems of ABC News and The New York Times, were rendered useless late Tuesday by an Internet worm, which it identified as worm--rbot.ebq, and which most likely is a Zotob variant. The computers became unusable when they repeatedly shut down and re-booted, CNN says.

The Zotob worm takes advantage of the recently disclosed "plug and play" vulnerability in Windows 2000, Windows XP, and Windows Server 2003. Microsoft issued a patch for the vulnerability August 9 (see "Microsoft Issues Six Security Patches for Windows" and Microsoft Security Bulletin MS05-039.

Exploit code for the plug-and-play vulnerability began appearing on the Internet over the weekend. The SANS Institute says that, after finding a host, the worm connects to a control server to ask for instructions. It then scans network neighborhoods and tries to infect them. The security organization says the coverage of the Zotob worm is likely a result of CNN becoming infected, and does not indicate a widespread worm attack. It's likely an isolated event, SANS says.

Microsoft gives a "critical" rating to this vulnerability only for Windows 2000 systems. It rates an "important" rating on Windows XP and Windows Server 2003 operating systems, because an attacker must have valid logon credentials. Computers running pre-Windows 2000 versions of the operating system are not affected.

Antivirus vendors, including F-Secure, McAfee, Sophos, Secunia, and Symantec, started protecting against Zotob soon after it surfaced.