New internet virus targets Windows

A new worm that was unleashed over the weekend affects only a limited group of Windows users. The virus targets newly announced flaws in Microsoft's Windows operating system.

Trend Micro Inc. said the Zotob virus exploits security holes in Windows 95, 98, ME, NE, 2000 and XP platforms and can give hackers remote access to affected systems, according to Reuters.

The worm drops a copy of itself into the Windows system folder as BOTZOR.EXE and modifies the system's host file in the infected machine to prevent the user from getting online help from anti-virus Web sites, Trend Micro said.

The virus can also connect to a specific Internet relay chat server and give attackers remote control over affected systems, which can be used to infect other unpatched computers in a network, Xinhua reports.

While early reports on Zotob suggested it was spreading rapidly, the impact of the worm has actually been restricted because it targets PCs running Windows 2000, an older version of the software, Microsoft said. It poses no threat to computers running the newer Windows XP and Windows Server 2003, the company added.

"Only a small number of customers have actually been affected," Stephen Toulouse, a program manager in Microsoft's security group, was quoted as saying by ZDnet. "It is not something that has any type of widespread impact on the Internet...It hits Windows 2000 customers very specifically."

Zotob appeared in record time after Microsoft's patch release, according to Trend Micro. "This is the fastest turnaround from the announcement of the vulnerability to an actual virus," Perry said.

Users of Windows 2000 should be on guard, especially if they are not using a firewall, said Mikko Hypponen, director of antivirus research at software maker F-Secure. Zotob.A and Zotob.B scan the Internet for vulnerable systems using TCP port 445, a port typically blocked by a firewall, he said.

When a target system is found by Zotob, it installs a shell program on the computer that downloads the actual worm code, named Haha.exe, using FTP (File Transfer Protocol). The newly infected system then starts searching for new computers to compromise.