Microsoft Security Advisory (899588)

Vulnerability in Plug and Play Could Allow Remote Code Execution and Elevation of Privilege

Published: 11 August 2005 | Updated: 17 August 2005

Zotob is a worm that targets Windows 2000–based computers and takes advantage of a security issue that was addressed by Microsoft Security Bulletin MS05-039. This worm and its variants install malicious software, and then search for other computers to infect.

If you have installed the update released with Security Bulletin MS05-039, you are already protected from Zotob and its variants. If you are using any supported version of Windows other than Windows 2000, you are not at risk from Zotob and its variants. As part of our Software Security Incident Response Process, our investigation has determined that only a small number of customers have been affected, and Microsoft security professionals are working directly with them. We have seen no indication of widespread impact to the Internet. Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside of the United States should contact the national law enforcement agency in their country.

For more information about these worms, to help determine if you have been infected by these worms, and for instructions on how to repair your system if you have been infected by these worms, see the Zotob Security Incident Web site or the Microsoft Virus Encyclopedia. For Microsoft Virus Encyclopedia references see the “Overview” section. You can also use the Microsoft Windows Malicious Software Removal Tool to search for and remove the Zotob worm and its variants from your hard drive.

Other versions of Windows, including Windows XP Service Pack 2 and Windows Server 2003 are not impacted by Worm:Win32/Zotob.A, its variations, and similar worms attempting to exploit the Windows Plug and Play vulnerability, unless they have already been compromised by other malicious software. Customers can protect against attacks attempting to utilize this vulnerability by installing the security updates provided by the Microsoft Security Bulletin MS05-039 immediately. The MS05-039 security bulletin is available at the following Web site.

Microsoft is disappointed that certain security researchers have breached the commonly accepted industry practice of withholding vulnerability data so close to update release and have published exploit code, potentially harming computer users. We continue to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so they do not aid criminals in their attempt to take advantage of software vulnerabilities.

Mitigating Factors:

Windows 2000 systems are primarily at risk from this vulnerability. Windows 2000 customers who have installed the MS05-039 security update are not affected by this vulnerability. If an administrator has disabled anonymous connections by changing the default setting of the RestrictAnonymous registry key to a value of 2, Windows 2000 systems would not be vulnerable remotely from anonymous users. However, because of a large application compatibility risk, we do not recommend customers enable this setting in production environments without first extensively testing the setting in their environment. For more information, search for RestrictAnonymous at the Microsoft Help and Support Web site.
While not the current target of these attacks, it’s important to note that on Windows XP Service Pack 2 and Windows Server 2003 an attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users or by users who have standard user accounts on Windows XP Service Pack 2 or Windows Server 2003. This is because of enhanced security built directly into the affected component. Even if an administrator has enabled anonymous connections by changing the default setting of the RestrictAnonymous registry key, Windows XP Service Pack 2 and Windows Server 2003 are not vulnerable remotely by anonymous users or by users who have standard user accounts. However, the affected component is available remotely to users who have administrative permissions.
While not the current target of these attacks, it’s important to note that on Windows XP Service Pack 1 an attacker must have valid logon credentials to try to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users. However, the affected component is available remotely to users who have standard user accounts on Windows XP Service Pack 1. The existing attacks are not designed to provide the authentication required to exploit this issue on these operating systems. Even if an administrator has enabled anonymous connections by changing the default setting of the RestrictAnonymous registry key, Windows XP Service Pack 1 systems are not vulnerable remotely by anonymous users.
This issue does not affect Windows 98, Windows 98 SE, or Windows Millennium Edition.

General Information

Overview

Purpose of Advisory: Notification of active customer attacks and the availability of a security update to help protect against this potential threat.

Advisory Status: Advisory published. As this issue is already addressed as part of the MS05-039 security bulletin, no additional update is required.

Recommendation: Customers should use the Microsoft Windows Malicious Software Removal Tool to check for and remove the Zotob infection and install the MS05-039 security update to help protect against this vulnerability.

References	Identification
Vulnerability References
CVE Reference	CAN-2005-1983
Security Bulletin	MS05-039
Exploit and Worm Details
Zotob Security Incident	Web site
Malicious Software Removal Tool	Web site
Microsoft Virus Encyclopedia	Worm:Win32/Zotob.A, Worm:Win32/Zotob.B, Worm:Win32/Zotob.C, Worm:Win32/Zotob.D, Worm:Win32/Zotob.E Worm:Win32/Esbot.A, Worm:Win32/Rbot.MA, Worm:Win32/Rbot.MB, Worm:Win32/Rbot.MC, Bobax.O
Symantec	W32.Zotob.A, W32.Zotob.B, W32.Zotob.D, W32.Zotob.E,W32.Zotob.G
F-Secure	Zotob.A, Zotob.B, Zotob.C, Bozori.A, Bozori.B, Bozori.C
McAfee	W32/Zotob.worm,W32/Zotob.worm.b, W32/Zotob.worm.c, W32/Bozori.worm.b, W32/IRCbot.worm!MS05-039, W32/Sdbot.worm!MS05-039,W32/Sdbot.worm!51326

Note This advisory will not be updated for future variations unless they are materially different that then existing versions.

This advisory discusses the following software.


Related Software
Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP Service Pack 1
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium)
Microsoft Windows XP Service Pack 2
Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium)
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 for Itanium-based Systems
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

Frequently Asked Questions

Suggested Actions

Check for and Remove the Zotob Infection.
You can use the Microsoft Windows Malicious Software Removal Tool to search for and remove the Zotob worm and its variants from your hard drive.
Customers should install the MS05-039 security updates to help protect against this vulnerability.
Windows 2000 systems are primarily at risk from this vulnerability. Customers who have installed the MS05-039 security update are not affected by this vulnerability.
Customers who believe they have been attacked should contact their local FBI office or post their complaint on the Internet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country.
Customers in the U.S. and Canada who believe they may have been affected by this possible vulnerability can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses." International customers can receive support by using any of the methods that are listed at Security Help and Support for Home Users Web site.

All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site.
Protect Your PC
We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing ant-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site.
Keep Windows Updated
All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Other Information

Resources:

You can provide feedback by completing the form by visiting the following Web site.
Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

August 11, 2005: Advisory published
August 14, 2005: Advisory has been updated to advise customers that Microsoft is actively analyzing and providing guidance on a malicious worm identified as the “Worm:Win32/Zotob.A”.
August 15, 2005: Advisory has been updated to document additional variants of Worm:Win32/Zotob.A. We have also updated the advisory to document information about the impact of the RestrictAnonymous registry key.
August 16, 2005: Advisory has been updated to document additional information about variations of Worm:Win32/Zotob.A and additional information about the ongoing investigation.
August 17, 2005: Advisory has been updated to document additional information about variations of Worm:Win32/Zotob.A. We are also announcing the availability of a revised version of the Microsoft Windows Malicious Software Removal Tool that helps to address these attacks.