[unisog] zotob and returning students, what are you going to do?

Michael Holstein michael.holstein at csuohio.edu
Fri Aug 19 18:25:24 GMT 2005


> I think you've got a couple different things confused.  As I understand 
> it, Zotob goes after the MS05_039 vuln, which seems to be pretty well 
> protected by XP SP2.  And msdss.dll is related to the IE vuln.  I don't 
> think that XP SP2 buys you any protection for the msdss vuln.

Correct. Zotob attacks Umpnpmgr.dll (why Microsoft chose to make 
plug-and-play network aware is beyond me .. since that service is 
different from uPNP which was *designed* for such things).

In 2000, it's exploitable unauthenticated.
In XPsp1, it requires a valid user
In XPsp2, it requires a valid user with 'log on locally' rights.

The current code that's circulating goes after the 'low-hanging' fruit 
.. namely, all versions of Windows 2000. XP isn't "secure" against 
MS05-039, but the current versions of Zotob don't infect XP (yet).

The msdss.dll vulnerability depends on the version of msdss.dll, not the 
operating system. What version of msdss.dll you have depends on which 
'other' product you have installed, and what version.

Regards,

Michael Holstein CISSP GCIA
Cleveland State University


More information about the unisog mailing list