Microsoft offers Zotob removal tool

Software also kills several variants and other bugs that exploit the same vulnerability, a flaw in Windows' plug-and-play feature.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
3 min read
Microsoft has made available a free software tool to help victims of the worms that hit Windows computers in the past days clean their systems.

The Zotob worm started spreading on Sunday. Since then, the worm, its variants, and other worms that take advantage of the same security flaw have hit Windows computers, especially those running Windows 2000. Systems at ABC, CNN and The New York Times were among those infected.

The cleaning program, released Wednesday, is an updated version of Microsoft's Windows Malicious Software Removal Tool, said Debby Fry Wilson, a director at the company's Security Response Center.

"The number of customers infected is relatively small. However, if they are impacted, the pain is certainly real."
--Debby Fry Wilson, director, Microsoft Security Response Center

"You click on it and it will tell you if you are infected," she said. "And if you are, it will clean the worm off your PC."

Microsoft typically releases a new version of this tool every month with its security patches. The tool can be run online through Microsoft's Web site or downloaded from the Microsoft Download Center.

The updated cleaning program checks for and removes infections from Zotob.A through Zotob.E, as well as from Bobax.O, Esbot.A, Rbot.MA, Rbot.MB and Rbot.MC, according to Microsoft. The list represents all known variants based on Microsoft's investigation, the company said.

"We will continue to investigate reports of future variants and update the tool as necessary based on customer needs," a Microsoft representative said.

Microsoft continues to rate the onslaught of worms as "low to moderate," Fry Wilson said.

CNET security center
Zotob prevention and cure
New worms attack vulnerable Windows 2000 and Windows XP SP1 machines.

"The number of customers infected is relatively small," she said. "However, if they are impacted, the pain is certainly real. There is a handful of customers that we have been working with."

The first worm was Zotob, which appeared Sunday and seemed to fade the next day. However, several Zotob offshoots and a new worm were subsequently unleashed. New versions of pre-existing threats also began wriggling their way into computers. All exploit a security hole in the plug-and-play feature in Windows. Some experts believe cybercriminals are engaged in a war to infect as many computers as they can.

Microsoft offered a fix for the Windows plug-and-play bug exploited by the worms in its monthly patching cycle last week, labeling the issue "critical"--its most serious rating. The first Zotob variant appeared in record time after Microsoft's patch release, giving Windows users little time to fix their systems.

The security issue affects Windows XP and Windows Server 2003, but only PCs running Windows 2000 are susceptible to a remote attack, Microsoft has said.

The worms can infect unpatched Windows 2000 systems that aren't protected by a firewall without any user interaction. The worms typically install a shell program on the computer to download the actual worm code using FTP, or File Transfer Protocol. The newly infected system then starts searching for new computers to compromise.

Additionally, most of the worms install "bot" code that lets an attacker remotely control the infected system. Criminals have typically organized these hijacked systems in networks called "botnets" that are rented out to relay spam, launch extortion scams and engage in other online crimes.