Users login

Create an account »


Users login

Home » Hacking News » Zotob worm exploits Windows 2000

Zotob worm exploits Windows 2000

by Nikola Strahija on August 16th, 2005 A new series of worms, called Zotob, exploit the code for recently patched Windows flaws and are now roaring through the Internet.

The worms attack a critical vulnerability in Windows 2000 Plug and Play service. They spread using the TCP/IP port 445, associated with Windows file sharing. Then they seize control of the operating system, infected computers are told to wait for further instructions on an IRC channel. This means that they can be used to attack other systems, according to Johannes Ullrich, chief research officer with The SANS Institute.

The Zotob family also disables Windows Update service and blocks access to certain websites, including and, Ullrich said. Because Zotob can generally only affect unpatched Windows 2000 systems, which also have an open port 445, it is unlikely to be widespread, Ullrich thinks.

Trend Micro has since reported two Zotob variants, called Zotob.a and Zotob.b. The anti-virus vendor referred to Zotob as "a failed attack", in a statement, but cautioned that further variants could be forthcoming.

Although Windows 95, 98 and ME are not vulnerable to Zotob, XP and Windows Server 2003 systems could be in certain circumstances. The system's registry file would have to be altered to allow the computer to list system resources without requiring a login, a practice called "enabling Null sessions", which is not so by default.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »