Zotob Plug and Play worms threaten

An unchecked buffer in Windows Plug and Play has led to two new worm families circulating on the Internet: Zotob and Estob. The Zotob worm is a Mytob worm clone. Where Mytob was a blend of MyDoom and Rbot, Zotob replaces the MyDoom code with exploit code for the Windows PnP vulnerability. Plug and Play is an essential Windows service that allows users to simply plug in a new device and have it automatically detected and configured. The unchecked buffer can be exploited to allow local privilege escalation, allowing remote attackers complete control of the system.

Prevention: If you haven't already installed the MS05-039 patch, you should do so now. Either enable Automatic Updates or visit the Windows Update Center and install all patches designated as critical. If you can't install the patch now, block TCP ports 139 and 445 at the firewall, or block all unsolicited inbound communications (most routers and firewalls do this automatically). Whether you choose to patch now or not (and you really should patch if you can), using a personal firewall and a router is essential for proper security. Here's a list of free firewall software to get you started on the road to better protection.

If you've already been impacted by Zotob or its cousin Esbot, use updated antivirus software to detect and remove the threat. Then, patch your system and install or harden your firewall defenses.