Security threats Toolkit

Free Zotob removal tool offered

Tags:
Windows 2000,
Viruses,
Worm,
Lack Thereof

Joris Evers CNET News

Published: 18 Aug 2005 10:05 BST

Microsoft on Wednesday made available a free software tool to help victims of the worms that hit Windows computers in the past days clean their systems.

The Zotob worm started spreading on Sunday. Since then it along with many of its variants and other worms that take advantage of the same Windows security flaw have hit Windows 2000 users in particular. Systems at CNN, ABC and The New York Times were among those infected.

The cleaning program is an updated version of Microsoft's Windows Malicious Software Removal Tool, Debby Fry Wilson, a director in Microsoft's Security Response Center, said in an interview.

"You click on it and it will tell you if you are infected," she said. "And if you are, it will clean the worm off your PC."

The Windows Malicious Software Removal Tool detects and removes malicious code placed on computers. Microsoft typically releases a new version of the tool every month with its security patches. The tool can be run online through Microsoft's Web site or downloaded from the Microsoft Download Center.

The updated cleaning program checks for and removes infections from Zotob.A through Zotob.E as well as Bobax.O, Esbot.A, Rbot.MA, Rbot.MB and Rbot.MC, according to Microsoft. The list represents all known variants based on Microsoft's investigation, the company said.

"We will continue to investigate reports of future variants and update the tool as necessary based on customer needs," a Microsoft representative said.

Microsoft continues to rate the onslaught of worms as "low to moderate," Fry Wilson said. "The number of customers infected is relatively small," she said. "However, if they are impacted, the pain is certainly real. There is a handful of customers that we have been working with," she said.

The first worm, dubbed Zotob, appeared Sunday and appeared to have faded on Monday. However, several Zotob offshoots and a new worm were subsequently unleashed. New versions of pre-existing threats also began wriggling their way into computers. All exploit a security hole in the plug-and-play feature in Windows. Some experts believe cybercriminals are engaged in a war to infect as many computers as they can.

Microsoft offered a fix for the Windows plug-and-play bug exploited by the worms in its in its monthly patching cycle last week. The software maker deemed the issue "critical", its most serious rating. The first Zotob variant appeared in record time after Microsoft's patch release, giving Windows users little time to fix their systems.

The security issue affects Windows XP and Windows Server 2003, but only PCs running Windows 2000 are susceptible to a remote attack, Microsoft has said.

The worms can infect unpatched Windows 2000 systems that aren't protected by a firewall without any user interaction. The worms typically install a shell program on the computer to download the actual worm code using FTP). The newly infected system then starts searching for new computers to compromise.

Additionally, most of the worms install bot code that lets an attacker remotely control the infected system. Criminals have typically organised these hijacked systems in networks called botnets that are rented out to relay spam, launch extortion scams and other online crimes.