Zotob.D and IRCBot.KB exploit a vulnerability in the Windows Plug and Play service; organizations like CNN, ABC and The NY Times have been affected already.

Panda Software, a developer of virus and intrusion prevention solutions, recently announced that PandaLabs reported attacks from two new worms, Zotob.D and IRCBot.KB, that exploit a vulnerability in the Windows Plug and Play (PnP) service.

Microsoft recently published a Security Bulletin, MS05-039, covering this vulnerability. The vulnerability could allow a remote attacker take control of the affected system. Several news organizations, like CNN, ABC and The New York Times have been affected, claims the company.

To exploit this vulnerability, both worms generate random IP addresses to which they try to connect through port 445, searching for vulnerable computers. When a computer is found, they will send instructions to download a copy of the worm by TFTP (a simplified version of the traditional FTP protocol). They both get installed on the systems, modifying a registry key to ensure its execution on every system startup, and initialize a backdoor component which is available through IRC, awaiting orders in a specified channel, which could allow a remote attacker take control of the system. It only spreads to operating systems such as Windows 2000, XP and Windows Server 2003.

In addition, Zotob.D searches for the most popular adware programs to delete their files and directories. The visible effects which these worms caused in the affected machines are the repeatedly shutting down and rebooting, so that it could be very dangerous in corporate environments. Panda Software recommends users to download the patch offered by Microsoft which appeared just some days ago.