Tips to help you stop the Zotob Worm
Novell Cool Solutions: Tip
Digg This -
Posted: 17 Aug 2005
Although the latest Zotob (W32.Zotob.E (Symantec), W32/IRCbot.worm!MS05-039 (McAfee), Net-Worm.Win32.Bozori.a (Kaspersky), W32/Tpbot-A (Sophos), WORM_RBOT.CBQ (Trend)) worm does not spread through e-mail or GroupWise, it may very well be impacting you anyway, here are a few practical tips:
- The worm only infects Windows 2000, so if you don't have a single Windows 2000 server or workstation, you can stop reading.
- It spreads through file shares, so it's important to do two things: patch vulnerable computers and block the ports being used by the worm.
STEP1: Block the worm from entering your network. At least temporarily blocking these ports (both in and out) is a good idea. At least it will prevent more incursions from the outside:
- TCP port 445 (Microsoft-DS)
- TCP port 7778 (Interwise)
- UDP port 69 (TFTP)
STEP 2: Patch any un-unpatched Windows 2000 PCs. You'll need the following patches from Microsoft:
STEP 3: Clean up any infected PCs. Several AV vendors offer cleanup tools. Here are a couple:
- Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.removal.tool.html
- Trendmicro offers a good manual removal document:
And of course, definitely update your AV signatures on all workstations and servers.
Charles Taite firstname.lastname@example.org
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com