CNN reported a worm outbreak this afternoon involving their network, ABCNews, NYTimes, as well as Capitol Hill.
Information is still flowing on this situation, but here’s what we have so far:
Symantec just released info on the W32.Zotob.E worm here.
Trend Micro also released information under WORM_RBOT.CBQ.
McAfee released information as well: W32/IRCbot.worm
This is an IRC bot worm, and will scan for TCP port 445, and for file shares. McAfee reports in it’s bulletin that systems not patched for MS05-039 will continually reboot.
It exploits known vulnerabilities, and the patch is available from microsoft here: Microsoft Security Bulletin MS05-039
More updates coming as we analyze and gather more information!
From the SANS Internet Storm Center
Hope ya’ll patched your Windows boxes. If not, get to work! I have already noticed some slowness on the internet – possibly because the cable modem segment that I am on is filled with unprotected Windows boxes.
Let me check my home network…
2 Macs – Check
1 Linux – Check
What is totally silly about this is that the worm exploits the windows Plug and Play system via port 445. A big WTF goes out to the guys in Redmond: why does Plug and Play need to access any IP ports? Unless ya’ll are using PnP to mount network drives – but come on. No one would be…
Well, perhaps they are?