Fortinet advises that its FortiGate security appliances, FortiMail antispam appliances and FortiClient Host Security software protect against all known variants of the W32/Zotob worm. This network worm appeared last weekend after a vulnerability in Windows Plug and Play service was announced ( MS05-039). W32/Zotob spreads through the network scanning random IP addresses for systems vulnerable to ( MS05-039). Upon finding a vulnerable system, the exploit is triggered, and the newly infected system downloads its own copy of the worm from the originally infected system. The worm is then executed and starts scanning for new targets. Fortinet has also examined Zotob variants that propagate through mass-mailing and other Windows vulnerabilities. Zotob opens a backdoor and functions as a bot - listening to owners' commands through an IRC channel. Some systems infected by Zotob become unstable, rebooting continuously.

There are a few characteristics that make this family of worms a serious threat. First, like Blaster and Sasser worms, Zotob requires no user interaction and spreads to all vulnerable machines automatically. Second, the worm's footprint is quite small (10KB) and it can simultaneously connect to hundreds of target computers so it spreads very rapidly. Third, the worm exploits a vulnerability that affects Windows 2000, Windows XP, and Windows Server 2003, all potential victims as these ystems make up a large percentage of Internet-connected computers. Lastly, it can spread to a wide array of networks by randomly guessing IP addresses.

Fortinet protects against and labels these worm variants as follows:

FortiGuard Network Information: All of Fortinet's FortiGate and FortiMail systems and FortiClient Host Security software in production worldwide are kept up to date automatically by Fortinet's FortiGuard Network, which provides continuous updates that ensure protection against the latest threats around the clock and around the world. Fortinet's FortiGate and FortiMail systems can block the W32/Zotob worm variants' attack at the gateway before it enters customers' networks, or on the host with the FortiClient Host Security software.

For more information on the FortiGuard Network, please visit:
http://www.fortiguardcenter.com/av.html

For more information on Fortinet's FortiGate and FortiMail systems and FortiClient Host Security software, please visit:
http://www.fortinet.com/products/