Trend-Micro has reported a new worm able to infect all Windows versions faster than any previous malicious code.
Its name is Worm_Zotob.B and the Trend-Micro rates it as having high damage and distribution potential.
This memory-resident worm drops a copy of itself in the Windows system folder as CSM.EXE.
The worm takes advantage of the Microsoft Windows Plug and Play vulnerability
to propagate across networks. It initiates an FTP server on the infected machine on port 33333. The exploit code downloads a copy of this worm via the said port.
This latest Windows malicious code scans IP addresses using port 445 for vulnerable machines. Once Worm_Zotob.B detects an unpatched system, it drops a script that downloads a copy of this worm, named HAHA.EXE, from the FTP server.
It also modifies the system's HOSTS file, which contains hostname to IP address mappings and adds several entries in order to prevent access to certain antivirus Web sites.
Worm_Zotob.B also adds the following lines that appear to be messages addressed to antivirus companies:
Botzor2005 Made By .... Greetz to good friend Coder. Based On HellBot3
MSG to avs: the first av who detect this worm will be the first killed in the next 24hours!!! Source