|
 |
|
 |
| Tuesday, February 07, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
4 |
 |
Members:
0 |
 |
Total:
4 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 08/16/2005 6:46 PM |
|
| What it is
A new worm (NOT a virus) is spreading throughout Windows Systems that haven't been patche for MS05-039 (http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx). This worm does NOT require you to open emails or visit websites to spread. If you have a personal firewall, or better yet a hardware and personal firewall these will mitigate the effects of the worm - however you should still patch in case a system behind a firewall becomes infected. The MS personal firewall on Windows XP (if it's on and plug and play isn't excluded) will protect you. There is also a variant that uses mass mailing combined with the Plug and Play vulnerability.
Most of the systems being affected are Windows 2000 and NT systems, since they don't have the personal firewall and have plug and play turned on by default.
If you have a hardware firewall, and/or a personal firewall you're unlikely to get infected. If you've patched per last Tuesdays patch of MS05-039 (and the patch has been downloaded and installed) you're protected from this vulnerability. If you have neither of these and are running Windows 2000, or an unpatched version of Windows XP you're probably already infected or will be quickly. If you're running Windows 9X or NT a variant will be along for you soon - you too need to be patched up. Get thee behind a firewall and get patched up.
What do do
If you suspect a system is infected you should disconnect from the network immediately. You can search for the worm if it's the .A or .B variant. Search your hard drive for the file botzor.exe and delete it. (note other variants drop differently named files - if you suspect your infected these other variants may still be present even if botzor.exe is not). Your best protection is to be patched BEFORE you get infected. Then remove the following two registry entries and lastly perform the instructions at www.securitytango.com. The registry entries to remove are:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows System (with data Botzor.exe)
and
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Windows System (with data botzor.exe)
If your system is not infected, but you haven't done the MS05-039 update you should apply that update immediately.
Norton has released a removal tool for the "A" and "B" variants (See below)
Many variants that are more virulent and/or have worse payloads are springing up, including ones that delete files, modify your host file, interfere with the ability to go to Google, McAfee, Norton or other security sites, deliver a back door app that communicates with an IRC server etc. As the worm spreads and virus makers get their hands on it any type of infection is possible, including loss of files on the machine or on attached machines.
Be watchful for strange browser behavior, spikes in network traffic, and/or Windows systems that are not responding properly - especially for network communications.
Further references
Microsoft ZOTOB Site: http://www.microsoft.com/security/incident/zotob.mspx
MS05-039: http://www.microsoft.com/technet/security/bulletin/MS05-039.mspx
Norton Sites about Zotob and variants:
http://www.sarc.com/avcenter/venc/data/w32.zotob.b.html
http://www.sarc.com/avcenter/venc/data/w32.zotob.d.html
http://www.sarc.com/avcenter/venc/data/w32.zotob.c@mm.html
http://www.sarc.com/avcenter/venc/data/w32.esbot.a.html
http://www.sarc.com/avcenter/venc/data/w32.bobax.af@mm.html
Zotob.A and Zotob.B removal tool: http://www.sarc.com/avcenter/venc/data/w32.zotob.removal.tool.html
McAfee Sites about Zotob and Variants:
http://vil.nai.com/vil/content/v_135473.htm
http://vil.nai.com/vil/content/v_135475.htm
McAfee Stinger tool (note at time of publication this did NOT have Zotob removal built in):
http://vil.nai.com/vil/averttools.asp
Trend Micro information about Zotob:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FZOTOB%2ED
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FZOTOB%2EC
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FZOTOB%2EB
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FZOTOB%2EA
This concludes this viruswarning notice.
Lee Drake
Aztek Computer Solutions, Inc.
274 N. Goodman St Suite B269
Rochester, NY 14607
the human side of computing
Email: ldrake@azcomputer.net
Web: www.azcomputer.net Office Phone: 585-242-2060
Fax number: 585-242-9441
|
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|