[Snort-users] MS05-039 and Zotob worm

Nigel Houghton nigel at ...1935...
Sun Aug 14 16:41:09 EDT 2005

The Sourcefire Vulnerability Research Team (VRT) has received reports of
a new worm variant, known as Zotob, that makes use of the Plug-and-Play
(PnP) vulnerability (MS05-039) to propogate. The worm uses exploit code
that targets the PnP issue via port 445 and upon sucessful exploitation,
it then uses ftp to transfer data from the infecting machine. The newly
infected machine then becomes an ftp server iteself and begins scanning
for other vulnerable hosts to infect.

The VRT released rules on August 12th, 2005 that detect all attempts to
exploit this vulnerability. These rules are identified as sids 3828
through 4125. The Zotob worm will alert on SID 3999. Inline users may
wish to set this rule to 'drop' for added protection.

In addition, a patch for this vulnerability is available at

Download Rules:
These rules will be available to subscribers only until August 17th, 2005.
Subscribers can download the rules at http://www.snort.org/pub-bin/downloads.cgi.

If you would like to purchase a subscription, please visit
http://www.snort.org/rules/why_subscribe.html, contact Dale Reynolds at
(703) 462-2639 or send email to snort-sub at ...3990...

     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

More information about the Snort-users mailing list