Panda reports on the new Zotob.A that exploits the vulnerability in Plug and Play

PandaLabs reports on a new worm, Zotob.A, that exploits the vulnerability in Plug and Play (PnP) which could allow remote code execution and elevation of privileges in the affected computer. This worm is the first to appear which exploits this security problem, only 5 days after Microsoft announced this critical security problem on its bulletin MS05-039, which also includes details of the updates that users are advised to apply.

Zotob.A scans IP addresses through port 445 in order to find vulnerable systems. If it finds one, it will send instructions to transfer itself to these computers. A has an IRC client through which it connects to a certain IRC server. In this way it can receive commands that can enable the computer to be administered remotely.

Zotob.A creates the “B-O-T-Z-O-R” mutex to prevent two copies of itself being executed simultaneously on the system. Besides, it modifies the HOSTS file to prevent access to certain web pages.

Panda Software recommends users to download the patch offered by Microsoft which appeared just some days ago. The web page to download this patch is available here.