The Microsoft Plug-and-Play vulnerability exploited by the ZoTob worm has been harnessed to create an IRC bot. IRCBot-ES uses the vulnerability to spread instead of more common vectors such as Windows RPC security vulns.
The attack provides evidence that virus writers are swarming around the vulnerability - which was only disclosed last week - thinking up new ways to attack vulnerable systems. Early indications are that IRCBot-ES may be more potent that ZoTob because it's easily capable of spreading around internal networks once an infected machine is plugged into a Lan. Anti-virus firm F-secure reports that one organisation has suffered widespread infection from IRCBot-ES via this mechanism. Meanwhile a further variant of ZoTob has been discovered.
The clear interest from malware authors in the vulnerability underlines the need for Windows users to get patched up sooner rather than later. ®