Virus alert: Zotob worm hits Windows 2000

Antivirus firms have urged affected users to patch their systems immediately after a new worm was discovered over the weekend that exploits a critical vulnerability in some Windows platforms.

The Zotob worm exploits a flaw which primarily affects the Windows 2000 platform but has an impact on Windows XP Service Pack I.

Microsoft released a patch on 9 August. The Microsoft Technical Bulletin MS05-039 stated that a successful exploitation would allow the attacker to "take complete control of the affected system... install programs; view, change, or delete data; or create new accounts with full user rights".

The worm, however, does not affect Windows XP SP2 or Windows Server 2003 systems.

Mark Sinclair, technical services director at Trend Micro Australia, told ZDNet Australia that it was about to issue a yellow alert - which means the worm is being reported in at least two [global] regions and there is a high potential for damage - for Zotob after receiving infection alerts from customers.

"We are seeing some evidence of [infections] today - I can't talk about which companies in particular but they are big enterprises. We are getting reports from those customers that they are getting infected by this particular worm," said Sinclair.

However, companies should not panic... yet.

Sinclair said: "It is not panic stations at this stage. But given that the vulnerability was only announced last week, it is a very quick turnaround for virus writers and it could get nasty."

Allan Bell, marketing director for McAfee Asia-Pacific, said most large organisations could avoid the worm by making sure they block ports 445 and 139 on their firewall.

Bell said: "These particular ports are used for file sharing and most corporates should have them blocked off. It is unusual for a corporate to have those open because you don't normally want somebody remotely accessing your systems."

Antivirus firms are particularly worried because of the number of Windows 2000 systems that are still in use. According to a recent study published by asset management specialist Assetmetrix, Windows 2000 is still installed in more than 50 per cent of computers used by large corporations worldwide.

Graham Cluley, senior technology consultant at Sophos said in a statement yesterday: "There will be many Windows computers that will not have been patched yet and may be vulnerable to infection and compromise. Everyone should act swiftly to ensure their PCs are properly protected with antivirus software, firewall software and up-to-date security patches."

Munir Kotadia writes for ZDNet Australia