The Zotob worm and its Windows hitting counterpart, Ircbot, are waged in viral warfare. Ircbots and a similar virus group known as Bozori are actively deleting Zotob viruses, the first to attack a newly announced Windows vulnerability.
“For the last four days we got 11 different samples of malware using this vulnerability,” said Mikko Hypponen, director of antivirus research at F-Secure. “Currently there are three Zotob variants (A, B and C), one Rbot (ADB), one Sdbot (YN), one CodBot, three IRCbots (ES, ET and EX) and two variants of Bozori (A and B).”
According to Hypponen virus writers are trying to gain kudos by deleting each others creations – F-Secure’s weblog has a diagram of how it works.
The viruses have been particularly successful at attacking unpatched Windows 2000 systems, even hitting some media organisations.
Security company Computer Associates has suggested as many a 250,000 systems have been affected globally and security body SANS has raised its threat status to yellow following the increased probability of infection through the swathe of network worms.
The Zotob worms have been followed by an almost unheralded amount of virus writing activity as hackers try to make use of vulnerable systems. Most viral creations have trojan capabilities so that infected computers can be used for more nefarious means, such as sending spam.