This vulnerability was discovered 5 days ago and Microsoft issued a
patch this weekend, be sure to install it.  XP Sp2 users are somewhat
less vulnerable. I shutdown my PNP a long time ago, unneeded process.

If you are unsure if you have the latest security patch check here:
http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
This is a worm that you get by just being on the internet, there no
infected e-mail to open.  Windows 95-xp are vulnerable especially
Windows 2000 machines. This is another reason to have a firewall.
Don't have a firewall?  Try out zone alarm it is free.
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

Plug&Play worm Zotob prowling the Internet
A new worm called Zotob is making use of the loophole in Windows'
plug-and-play interface to emerge last week to infect Windows systems
via the Net. Especially vulnerable are users of Windows 2000 who have
as yet failed to incorporate the appropriate patch. Anzeige


A new worm that goes by the name of Zotob is making use of the
loophole in Windows' plug-and-play interface to emerge last week to
infect Windows systems via the Net. Microsoft made a patch for this
problem available last week; only a few days later, however, the first
exploits were published. Especially vulnerable are unpatched Windows
2000 systems, because they allow anonymous access via the Internet to
the plug-and-play services.

For Windows XP systems with Service Pack 2 and for Windows 2003 Server
to access the same services a successful authentication as
administrator is, according to Microsoft, required. In the case of
Windows XP with Service Pack 1 access to a limited user account is all
it takes. Nonetheless, Zotob cannot infect these without, for example,
simultaneously making the odd successful guess at access data.

Zotob spreads via packets sent to the TCP Port 445. After penetrating
the port successfully it makes contact via FTP to the computer it came
from, initiating the download of further malicious code from there,
which it stores and executes as haha.exe. In addition it opens an IRC
channel, via which it can be remotely controlled and, for example,
ordered to download further modules.

Within the system the worm appears in the Registry as

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

with the key "WINDOWS SYSTEM" = "botzor.exe", thus ensuring that it is
activated every time the system is booted. In addition via entries in
the Hosts file Zotob reroutes access to an array of Internet addresses
to a loopback device, thereby thwarting the updating of antivirus
software.

On top of that the worm which belongs to the Mytob family brandishes a
threat against antivirus manufacturers in these lines:

MSG to avs: the first av who detect this worm will be the first
killed in the next 24hours!!!

F-Secure as one of them has calmly responded by pointing out that the
worm can be detected with the update 2005_08_14-01.

Though the scenario is comparable to the Sasser worm, the virus
experts of F-Secure, for instance, do not expected there to be a
similar epidemic, because, as they observe, Zotob is unable to infect
Windows XP systems with SP2.

Administrators and users should not however rely on the protection
ostensibly provided by their firewall blocking access to the TCP Port
445, but incorporate the Microsoft patch as quickly as possible. As
earlier worms have shown with a vengeance, an infected notebook, for
example, once hooked up to a company network can wreak considerable
havoc.

Microsoft has brought its Plug&Play Advisory up-to-date and reports
therein that the company is currently actively analyzing
"Worm:Win32/Zotob.A." According to the preliminary results of this
analysis systems with Windows Server 2003 and Windows XP with Service
Pack 1 or 2 are not vulnerable to the worm because it contains no code
that would allow it "to provide the authentication required." Windows
98 (SE and ME included) is in any case not subject to this
plug-and-play problem.

As the patch protects against infection by Zotob, the Redmond-based
company considers only unpatched Windows 2000 systems to be in danger.

See also:

F-Secure Virus Description: Zotob.A
Description of Zotob.A by Symantec
Description of the Vulnerability and the Patch in Microsoft Security
Bulletin MS05-039
Plug&Play Advisory by Microsoft

Visit my website:
http://www.mzuschlag.com