How Zotob works

From someone on the Security Focus list known only as hc03d:

here is what the worm does:

Spreading using Plug and Play service vulnerability

The worm scans for systems vulnerable to Microsoft Windows Plug and Play service (MS05-039) through TCP/445.

It creates 300 threads that connect to random IP addresses within the B-class (255.255.0.0) network of the infected system.

First it tests connection to port 445 and if successful, it tries to exploit the vulnerability. If the attack is successful a shell (cmd.exe) is started on port 8888.

Through the shell port, the worm sends a ftp script which instructs the remote computer to download and execute the worm from the attacker computer using FTP.

The FTP server listens on port 33333 on all infected computers with the purpose of serving out the worm for other hosts that are being infected. The downloaded file is saved as 'haha.exe' on disk.

This worm spreads via uPnP exploitation on port 445. Your antivirus will not do anything to stop this, because it is a memory resident virus at time of exploitation. It will detect it, but will not have access to quarantine or delete it. The machine will have to be rebooted in order to dump it from memory.

I suspect it will not be long before this worm becomes nastier.

There is not a whole lot that can be done as far as mitigation is concerned. ISS, TippingPoint, and Snort, all have sigs for this. You could implement Block/Notifies for this sig on the IPS to prevent it coming from the outside. You could implement sigs on the Snorts to catch it if it does get in.

Once it gets in though, you will have to shutdown the site links so it doesn't spread like wildfire --- which it most likely will.

Thats my word.