At least seven new worms have been unleashed that affect Windows systems that do not have the MS05-039 patch installed, which was released last week to correct problems with the Plug and Play service. The vulnerability affects Windows 2000, Windows XP, and Windows Server 2003.
The worm variants, called Zotob and RBOT, currently exploit Windows 2000 platforms and infiltrate systems to install a backdoor, an FTP server, and connect to an IRC server where infected systems can then be detected and remote controlled. Some of the worms also modify the system's HOST file to block access to numerous security vendor Web sites, such as those that produce anti-virus software. The worm also tries to block access to sites that belong to Microsoft (including its Live Update site), Amazon, eBay, Paypal, and Moneybookers.
The Plug and Play vulnerability does not affect Windows 95, Windows 98, Windows Millennium Edition (ME), and Windows NT operating systems. As such the worm cannot infect those Windows platforms. However since the worms' executables can run on those versions of Windows they could be used to spread the worm if the executables somehow make it onto those platforms.
On August 11 Microsoft released an advisory about the new worms. On August 14 the company posted a Web page with Zotob information that helps people understand how to detect the worm on their systems. The company's Antivirus Encyclopedia details steps on how to remove the worms.
Businesses that cannot immediately patch their systems can use firewalls at network borders, on servers, and on desktops to help defend against the infiltration. In particular, block access to port 445 which can be used by the worms to infect vulnerable systems. Be aware that port 445 is used for Server Message Block (SMB) and blocking access to that port might affect usability, including the use of shared resources.