Zotob Worm Detection

Critical Nessus Plugin ID 19429

Synopsis

The remote host may have been compromised by a worm.

Description

A Microsoft Windows shell is running on port 8888. This may indicate an infection by the Zotob worm, although other worms may also create a shell on this port.

Solution

Verify if the remote host has been compromised, and reinstall the system if necessary.

See Also

http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.a.html

http://www.microsoft.com/presspass/press/2005/aug05/08-16zotob.mspx

Plugin Details

Severity: Critical

ID: 19429

File Name: zotob_detection.nasl

Version: Revision: 1.9

Type: remote

Family: Backdoors

Published: 2005/08/16

Modified: 2012/09/27

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C