'Zotob' Worm Makes Windows Rounds

A new worm has been detected spreading on unpatched Windows systems faster than previous worms, but reported infections have remained low for the moment. Dubbed "Zotob" by antivirus vendor Trend Micro, the worm takes advantage of a critical security hole in Windows that was patched last week.

On Friday, Microsoft acknowledged that exploit code had surfaced for at least two of the three vulnerabilities recently announced. The company said it was "disappointed that certain security researchers have breached the commonly accepted industry practice of withholding vulnerability data so close to update release and have published exploit code."

Zotob works by copying itself into the Windows System folder as either BOTZOR.EXE or CSM.EXE, and modifies a user's "hosts" file to prevent access to antivirus Web sites. The worm initiates an FTP server on port 3333 and scans IP addresses using port 445 for other vulnerable systems.

"Hundreds of infection reports were sighted in the United States and Germany," Trend Micro officials said in a statement.

Aside from propagating itself, however, Zotob also has built in backdoor capabilities. The worm connects to an Internet Relay Chat channel and awaits remote instructions from a malicious user. Due to such actions, Trend Micro has rated Zotob's damage potential as "high."

Trend recommends that Windows users ensure they have installed the latest patches from Microsoft and run an up-to-date antivirus utility.