Tech Tips Home
The Best Tech Tips And Daily Deals
Newsletter On The Internet!

WorldStart Tech Tip And Store Search
Email: Password: Login Remember Me
looking for freeware

Like what you see here? Subscribe to the Tech Tips newsletter!   Email: Subscribe


Thursday, September 15th, 2005 by | Filed Under: Security Help

On 16 August 2005 security company Sophos discovered a new worm that was taking advantage of the Microsoft exploit MS05-039. You may have heard of this Worm in the news. It’s responsible for infecting computers at several high profile companies such as The New York Times, CNN and ABC. Microsoft thought the threat so severe that it rolled out an update for its Malicious Software Removal Tool before the normal scheduled update.

This is an exploit that allows a buffer overflow in the Plug-n-Play service in Windows. The worm sends SYN packets to TCP Port 445 looking for unpatched machines. Once Zotob finds a vulnerable system it creates a buffer overflow and sends out shellcode to the exploited system. This creates an FTP script that connects to a remote site and downloads the Worm. The Worm enables a backdoor IRC allowing the attacker to remotely send commands to the infected computer.

There have been plenty of variants of the Zotob in the 20 days of its existence and have all really been restricted to Windows 2000 machines, however the Microsoft exploit includes any operating system with the “Simple file sharing” option. This option is only available in windows XP (Home and Pro) and Windows 2000.

Symantec’s “Deep Site” threat analysts team has discovered a way to possibly utilize the Zotob in the Windows XP environment. With Simple file sharing enabled, for example, sharing a folder or even printer between two computers and having the guest account turned on.

Though it’s possible it hasn’t been seen yet, in my opinion why wait for something to happen? Be proactive about your protection. You can patch the exploit with the P-n-P by going to Microsoft and downloading the patch. Then you should turn off your Guest account or at least passwords protect it. Also you want to make sure your firewall is operating and you may even want to watch the activity log, for any application accessing TCP/IP port 445.

Here’s Microsoft’s security bulletin and fix…

Stay safe out there,

~ Chad Stelnicki

Leave a Reply

Like these tips? Get them for FREE in your email!

WorldStart's Tech Tips Newsletter

  • Tech Tips Daily - Become a tech pro! Get the very best tech and computer help sent directly to your email every weekday!

  • Tech Tips Weekly - If you don't want our Tech Tips newsletter every day, then sign up for this weekly newsletter to get the best information of the week. Sent on Fridays.

Other Newsletters

  • WorldStart's Daily Deals - Every week, we send out great deals in our Daily Deals newsletter. Many of these deals are exclusively for our Daily Deals newsletter subscribers and can't be found with our regular specials.

  • Just For Grins - Each issue includes a couple clean jokes, some funny quotes, and a hilarious reader's story. Newsletter is sent five days a week.

Enter Email Address:


Your e-mail address is safe with us!
We only use it to send you the newsletters you request. It is NEVER disclosed to a third party for any reason, ever! Plus, if you decided you don't like our newsletters (don't worry, you'll love them), unsubscribing is fast and easy.

Free Newsletter Signup

Tech Tips Daily

Become a tech pro! Get the very best tech and computer help sent directly to your email every weekday!

Tech Tips Weekly

The week's best in tech and computer help. Get your issue sent to your email every Friday!

WorldStart's Daily Deals

The very best deals on the Internet! Get a new set of incredible sales every day of the week!

Just For Grins

Clean jokes, funny quotes, and hilarious comics. Sent 5 times a week straight to your email.


Love Worldstart? Refer A Friend!

looking for freeware
WorldStart's Premium Membership

Tip Archive