Press Releases

Browse our press release archive

17 Aug 2005

War of the worms: Malware fights for control of insecure computers, Sophos reports

The worm exploited a Microsoft vulnerability, allowing hackers to take remote control of affected PCs. Image copyright (c) Sophos
The worm exploited a Microsoft vulnerability, allowing hackers to take remote control of affected PCs.

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have determined that separate groups of hackers are releasing a barrage of worms in a battle to seize control of innocent users' computers. Overnight, it has been confirmed that organizations such as CNN, ABC Television, The New York Times and the Financial Times have been hit.

The W32/Zotob-F worms (also known as Bozori) attempts to remove infections by earlier versions of the Zotob worm and other malware, so it can take control of the compromised computer for itself. W32/Zotob-F is related to the W32/Tpbot-A worm, which also exploits the same Microsoft MS05-039 Plug and Play vulnerability that hackers have focused on as a way into poorly defended businesses.

"Once one of these worms has control over your computer, it can use your PC for sending spam, launching an extortion denial-of-service attack against a website, stealing confidential information or blasting out new versions of malware to other unsuspecting computer users," said Graham Cluley, senior technology consultant for Sophos. "Organized criminal gangs are behind attacks like these and their motive is to make money. Owning a large network of compromised computers is a valuable asset to these criminals, and every business needs to take steps to ensure they are not the next victim on their list."

The worms are affecting computers which are not properly patched against Microsoft security holes such as the MS05-039 Plug and Play vulnerability.

More and more virus writers are exploiting the new MS05-039 vulnerability that Microsoft issued a patch against last week. The list of malware which uses the security hole to spread includes:

How to protect your computers

Home users of Microsoft Windows can visit to have their systems scanned for critical Microsoft security vulnerabilities.

Sophos recommends that IT staff responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at Sophos advised customers to patch against the latest security vulnerabilities in Microsoft's software last week. The patch for the MS05-039 Plug and Play vulnerability can be found at on Microsoft's website. However, Sophos recommends that businesses also ensure they are protected against other vulnerabilities commonly used by worms and hackers such as:

LSASS (MS04-011) security vulnerability
RPC-DCOM (MS04-012) security vulnerability
MSSQL (MS02-039) security vulnerability
UPNP (MS01-059) security vulnerability
WebDav (MS03-007) security vulnerability

"The only good thing which might come out of this high profile worm outbreak is that more people and businesses may wake up to the importance of properly protecting their systems from viruses and internet worms," said Cluley. "All companies should take a long hard look at their networks and ask, 'could that have happened to us?'"

Sophos continues to recommend that companies protect all tiers of their organization - their desktops, servers and email gateways - with automatically updated anti-virus software to reduce the risk of infection.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at