Microsoft Corp. late Wednesday shipped an update to its malware removal tool to detect and delete the fast-spreading “Zotob” worm family.
Microsoft typically updates the free utility once a month—on Patch Tuesday—but with at least a dozen “Zotob” variants squirming through unpatched Windows 2000 systems, the company added detections for 10 mutants to help with the cleanup process.
The new version of the Malicious Software Removal Tool will now zap the following worms: Zotob.A, Zotob.B, Zotob.C, Zotob.D, Zotob.E, Bobax.O, Esbot.A, Rbot.MA, Rbot.MB and Rbot.MC.
The worms, first detected last Saturday, have infected computers at several high-profile organizations, including The New York Times, CNN and ABC.
They propagate by infecting Windows 2000 machines via a “critical” flaw in the Plug and Play (PnP) service, a common component that allows the operating system to detect new hardware on a Windows system.
Microsoft released a patch for the flaw as part of its August security bulletins and warned since Aug. 9 that the bug could lead to privilege escalation and remote code execution attacks.
According to Finnish anti-virus vendor F-Secure Corp., there are at least three “Zotob” mutants and several IRC (Internet Relay Chat) bots making the rounds in the current wave of attacks.
The company has also seen evidence of rival virus writers deleting competing bots installed via the PnP hole, a clear suggestion that there are two groups responsible for the attacks.
Microsoft is maintaining a “moderate” rating on the Zotob incident and is continuing to beat the drum for Windows 2000 users to apply the MS05-039 patch.
“Our investigation has determined that only a small number of customers have been affected, and Microsoft security professionals are working directly with them. We have seen no indication of widespread impact to the Internet,” a Microsoft spokesperson said.