The Microsoft Plug-and-Play vulnerability exploited by the ZoTob worm has been harnessed to create an IRC bot. IRCBot-ES uses the vulnerability to spread instead of more common vectors such as Windows RPC security vulns.

The attack provides evidence that virus writers are swarming around the vulnerability - which was only disclosed last week - thinking up new ways to attack vulnerable systems. Early indications are that IRCBot-ES may be more potent that ZoTob because it's easily capable of spreading around internal networks once an infected machine is plugged into a Lan. Anti-virus firm F-secure reports that one organisation has suffered widespread infection from IRCBot-ES via this mechanism. Meanwhile a further variant of ZoTob has been discovered.

The clear interest from malware authors in the vulnerability underlines the need for Windows users to get patched up sooner rather than later. ®

Related stories

• Bot spreads through anti-virus, Windows flaws (29 November 2006)
• How a virus crashed Homeland Security (3 November 2006)
• Zotob perp jailed (13 September 2006)
• Updated Virus writers craft PnP botnet client (24 October 2005)
• MyTob and NetSky-P dominate August viral charts (1 September 2005)
• Zotob arrests throws open trade in compromised PCs (30 August 2005)
• Zotob suspects arrested in Turkey and Morocco (30 August 2005)
• Worm War II (18 August 2005)
• Plug and Play pandemonium (17 August 2005)
• Flaw on Tuesday, worm by Sunday (15 August 2005)
• Six patches - three critical - in MS August patch batch (10 August 2005)
• Zombie bots fuel spyware boom (11 July 2005)
• VXers go phishing with latest MyTob worms (8 June 2005)
• Window of exposure lets viruses run rampant (2 June 2005)