Tips to help you stop the Zotob Worm

Novell Cool Solutions: Tip
By GWAVA

Digg This - Slashdot This Posted: 17 Aug 2005

Although the latest Zotob (W32.Zotob.E (Symantec), W32/IRCbot.worm!MS05-039 (McAfee), Net-Worm.Win32.Bozori.a (Kaspersky), W32/Tpbot-A (Sophos), WORM_RBOT.CBQ (Trend)) worm does not spread through e-mail or GroupWise, it may very well be impacting you anyway, here are a few practical tips:

• The worm only infects Windows 2000, so if you don't have a single Windows 2000 server or workstation, you can stop reading.
• It spreads through file shares, so it's important to do two things: patch vulnerable computers and block the ports being used by the worm.

STEP1: Block the worm from entering your network. At least temporarily blocking these ports (both in and out) is a good idea. At least it will prevent more incursions from the outside:

• TCP port 445 (Microsoft-DS)
• TCP port 7778 (Interwise)
• UDP port 69 (TFTP)

STEP 2: Patch any un-unpatched Windows 2000 PCs. You'll need the following patches from Microsoft:

• http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
• http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx

STEP 3: Clean up any infected PCs. Several AV vendors offer cleanup tools. Here are a couple:

• Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.removal.tool.html
  McAfee: http://vil.nai.com/vil/stinger
• Trendmicro offers a good manual removal document:
  http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FRBOT%2ECBQ&VSect=Sn

And of course, definitely update your AV signatures on all workstations and servers.

Charles Taite ct@gwava.com

http://www.gwava.com/

Reader Comments

• There are not that many organizations that do not have Windows 2000 workstations
• Talk about misinformation. This worm has and wil infect XP as well. If you get a machind that becomed infected with this worm you should re-image or spend hours with anti malware detection tools (root kit detector, anti spyware, etc.)
• You could always use a local firewall such as Novell PCF on the PC's that blocks traffic on these ports. Rollout updates to the firewall ports using zen. That way at least you can stop the virus spreading or swamping your network if it does get through your correctly configured enterprise firewall

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com