Novell is now a part of Micro Focus

Tips to help you stop the Zotob Worm

Novell Cool Solutions: Tip

Digg This - Slashdot This

Posted: 17 Aug 2005

Although the latest Zotob (W32.Zotob.E (Symantec), W32/IRCbot.worm!MS05-039 (McAfee), Net-Worm.Win32.Bozori.a (Kaspersky), W32/Tpbot-A (Sophos), WORM_RBOT.CBQ (Trend)) worm does not spread through e-mail or GroupWise, it may very well be impacting you anyway, here are a few practical tips:

  • The worm only infects Windows 2000, so if you don't have a single Windows 2000 server or workstation, you can stop reading.
  • It spreads through file shares, so it's important to do two things: patch vulnerable computers and block the ports being used by the worm.

STEP1: Block the worm from entering your network. At least temporarily blocking these ports (both in and out) is a good idea. At least it will prevent more incursions from the outside:

  • TCP port 445 (Microsoft-DS)
  • TCP port 7778 (Interwise)
  • UDP port 69 (TFTP)

STEP 2: Patch any un-unpatched Windows 2000 PCs. You'll need the following patches from Microsoft:

STEP 3: Clean up any infected PCs. Several AV vendors offer cleanup tools. Here are a couple:

And of course, definitely update your AV signatures on all workstations and servers.

Charles Taite

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions.

© Copyright Micro Focus or one of its affiliates