View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
August 15, 2005

Zotob: the return of the network worm

It was not another Blaster, but the Zotob malware that hit the internet over the weekend marked both the return of the high-profile network worm and one of the shortest periods between the disclosure of a wormable vulnerability and the worm itself.

By CBR Staff Writer

Zotob.A can remotely infect Windows 2000 machines that have not applied the patch associated with the MS05-039 vulnerability alert that Microsoft published last Tuesday. No user interaction is required.

According to virus experts, the number of infections indicates that the worm, and its B variant, has not spread as broadly as previous network worms such as Sasser and Blaster. There have been no reports so far of major outages.

The reason we called out this one was to say ‘Don’t panic’, Trend Micro Inc’s global director of education David Perry said. The potential for damage is limited by the number of vulnerable machines, he said.

It is estimated that 73% of Microsoft’s Windows customers are now running Windows XP, which is only vulnerable to Zotob under a fairly unusual configuration. Of the remainder, only unpatched Windows 2000 machines would be hit.

The worm hit the internet late Friday, about 24 hours after MS05-039 proof-of-concept exploit code became broadly available on security mailing lists and web sites, and only three days after Microsoft publicized the vulnerability.

That would make it the second-fastest turnaround between disclosure and worm ever, second only to Witty, which broke into PCs running personal firewalls from Internet Security Systems Inc on March 19, 2004, one day after the vulnerability was disclosed.

Perry said Trend’s free HouseCall virus scanning service found 50 infections by Zotob.A, but about 1,000 infections of Zotob.B. He estimated that number represented less than a tenth of a percent of the total number of infected machines.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Late Monday, F-Secure Corp reported it had also spotted another variant, Zotob.C, and that a new version of the well-known IRCBot backdoor program has been found spreading itself through the MS05-039 vulnerability.

Zotob comes in over TCP port 445, used by the vulnerable Plug and Play (PnP) component of Windows. Otherwise vulnerable computers would not be open to infection if their firewalls or ISPs filter port 445.

It drops a backdoor on machines it infects, as well as a loader that enables the worm to launch whenever the machine reboots. Prolific network worms in the past have tended to reside in memory, meaning a reboot is sufficient to clean the machine.

It also modifies the Windows hosts file to prevent users visiting domains such as, and other antivirus sites, as well as popular e-commerce sites such as, and

Trend’s Perry said that while Zotob appears to not be as prolific as the likes of Code Red or Blaster, it could act as a progenitor of other, more successful worms, much like the little-known BlueCode spawned the more destructive Nimda in 2001.

Zotob is the first prolific network worm to be detected since May 2004, when Sasser ran on a rampage, hacking Windows boxes and gobbling bandwidth, causing disruptions in rail, air, post and banking services worldwide.

According to antivirus software vendors, the worm contains the plaintext: Botzor2005 Made By …. Greetz to good friend Coder. Based On HellBot3. MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!!

HellBot3, according to Sophos Plc, is a worm transmitted by email that contains a spyware Trojan. It seems likely that the backdoor components of HellBot3 were combined with the MS05-039 exploit code to create Zotob.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.