Zotob/Mytob/Rbot/IRCBot/Bozori: A real epidemic or media hysteria?
Kaspersky Lab, a leading developer of secure content management solutions that protect against viruses, Trojans, spyware, spam and hacker attacks, has the following statement regarding the malicious programs Zotob / Bozori.
A large number of international publications have issued information about a virus that has infected the networks of many major corporations and caused the biggest epidemic of the year. According to reports broadcast on CNN, ABC News, the NY Times and the US Congress have been affected. Other publications have reprinted this information, including the Russian media. There is some confusion as to what is actually happening, and the name(s) of the virus.
We have established that the media are describing an incident caused by a worm, which has the following names:
- Zotob.e (Symantec)
- WORM_RBOT.CBQ (Trend Micro)
- IRCBot.Worm (McAfee)
- Tpbot-A (Sophos)
- Net-Worm.Win32.Bozori.a (Kaspersky Lab)
- Zotob.d (F-Secure)
Kaspersky Lab was among the first antivirus companies to detect this virus, and an urgent update was issued at 01:50 Moscow time (GMT+4), today (17 August 2005). It should also be noted that the Virus Laboratory did not receive notification either from Russian or overseas users about infections caused by this worm. There has not been any noticeable increase in network activity which could be ascribed to this worm. During the Sasser epidemic (some media are comparing the current situation to the Sasser epidemic) in May 2004, which some publications are using as a comparison for Bozori.a, Sasser caused an increase in network traffic of approximately 20% to 40%. At the moment, there are no signs of a similar increase.
This worm exploits the Plug n Play vulnerability in Microsoft Windows (MS05-039) for which a patch was issued on 9 August 2005. It can be downloaded from Microsoft's site at http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
Since the patch was issued, approximately 10 malicious programs which exploit this vulnerability to spread have been detected. Three Mytob variants (.ce, .cf, .ch) which some antivirus companies called Zotob. The media has published information about these, some of which appears to be speculation which was not supported by any factual evidence of an epidemic. Several Trojan .bot programs have also been detected, from the Rbot and IRCBot families. None of these .bots have caused any significant epidemic.
Kaspersky Lab has no concrete information from users confirming infection by Bozori.a. This and the other facts given above would seem to confirm that at the moment, there is no epidemic.
A description of Net-Worm.Win32.Bozori.a is available in the Virus Encylopaedia.
