10 - KB899588

Zotob is a worm that targets Windows 2000–based computers and takes advantage of a security issue that was addressed by Microsoft Security Bulletin MS05-039. This worm and its variants install malicious software, and then search for other computers to infect.

If you have installed the update released with Security Bulletin MS05-039, you are already protected from Zotob and its variants. If you are using any supported version of Windows other than Windows 2000, you are not at risk from Zotob and its variants. As part of our Software Security Incident Response Process, our investigation has determined that only a small number of customers have been affected, and Microsoft security professionals are working directly with them. We have seen no indication of widespread impact to the Internet. Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside of the United States should contact the national law enforcement agency in their country.

For more information about these worms, to help determine if you have been infected by these worms, and for instructions on how to repair your system if you have been infected by these worms, see the Zotob Security Incident Web site or the Microsoft Virus Encyclopedia. For Microsoft Virus Encyclopedia references see the “Overview” section. You can also use the Microsoft Windows Malicious Software Removal Tool to search for and remove the Zotob worm and its variants from your hard drive.

Other versions of Windows, including Windows XP Service Pack 2 and Windows Server 2003 are not impacted by Worm:Win32/Zotob.A, its variations, and similar worms attempting to exploit the Windows Plug and Play vulnerability, unless they have already been compromised by other malicious software. Customers can protect against attacks attempting to utilize this vulnerability by installing the security updates provided by the Microsoft Security Bulletin MS05-039 immediately. The MS05-039 security bulletin is available at the following Web site.

Microsoft is disappointed that certain security researchers have breached the commonly accepted industry practice of withholding vulnerability data so close to update release and have published exploit code, potentially harming computer users. We continue to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so they do not aid criminals in their attempt to take advantage of software vulnerabilities.

Mitigating Factors:

Windows 2000 systems are primarily at risk from this vulnerability. Windows 2000 customers who have installed the MS05-039 security update are not affected by this vulnerability. If an administrator has disabled anonymous connections by changing the default setting of the RestrictAnonymous registry key to a value of 2, Windows 2000systems would not be vulnerable remotely from anonymous users. However, because of a large application compatibility risk, we do not recommend customers enable this setting in production environments without first extensively testing the setting in their environment. For more information, search for RestrictAnonymous at the Microsoft Help and Support Web site.

While not the current target of these attacks, it’s important to note that on Windows XP Service Pack 2 and Windows Server 2003 an attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users or by users who have standard user accounts on Windows XP Service Pack 2 or Windows Server 2003. This is because of enhanced security built directly into the affected component. Even if an administrator has enabled anonymous connections by changing the default setting of the RestrictAnonymous registry key, Windows XP Service Pack 2 and Windows Server 2003 are not vulnerable remotely by anonymous users or by users who have standard user accounts. However, the affected component is available remotely to users who have administrative permissions.

While not the current target of these attacks, it’s important to note that on Windows XP Service Pack 1 an attacker must have valid logon credentials to try to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users. However, the affected component is available remotely to users who have standard user accounts on Windows XP Service Pack 1. The existing attacks are not designed to provide the authentication required to exploit this issue on these operating systems. Even if an administrator has enabled anonymous connections by changing the default setting of the RestrictAnonymous registry key, Windows XP Service Pack 1 systems are not vulnerable remotely by anonymous users.

This issue does not affect Windows 98, Windows 98 SE, or Windows Millennium Edition.

What is the scope of the advisory?
Zotob is a worm that targets Windows 2000–based computers and takes advantage of a security issue that was addressed by Microsoft Security Bulletin MS05-039. This worm and its variants install malicious software, and then search for other computers to infect.If you have installed the update released with Security Bulletin MS05-039, you are already protected from Zotob and its variants. If you are using any supported version of Windows other than Windows 2000, you are not at risk from Zotob and its variants.


Is this a security vulnerability that requires Microsoft to issue an additional security update?
No. Customers who have installed the MS05-039 security updates are not affected by this vulnerability.

What causes this threat?
An unchecked buffer in the Plug and Play service. See Security Bulletin MS05-039 for more vulnerability details.

What might an attacker use this function to do?
An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.