Chris Andrew, vice president of product management at PatchLink, said that coding errors caused a few variants of the worm to send computers into a reboot loop, which meant they spent very little time spreading the infection.
"If you read the vulnerability description in that exploit it actually tells you that if you do it wrong it crashes the computer. If you do it right then nobody can tell you have hacked the computer," said Andrew.
He said companies that were hit by one of the flawed variants were "lucky" because it gave them more time to stop the infection taking hold.
"The people at CNN and ABC were very upset that their computers crashed, but they were the lucky ones," said Andrew.
James Turner, security analyst at Frost & Sullivan Australia, agreed that the worm could easily have been worse — because the flawed variants gave administrators some warning that they were under attack.
"Your ultimate crime does not leave any traces. The minute a worm forces computers to do things that are abhorrent — like rebooting — it draws attention to itself," said Turner.
Allan Bell, marketing director for McAfee Asia-Pacific, said the versions that caused systems to crash — which McAfee has called IRCbot.worm! — are "often copy and paste jobs" created using source code distributed online.
Patchlink's Andrew agreed: "There are documented materials available that show you how to do the hacks. It is hardly surprising that there are a whole bunch of [Zotob] variants".
American Express, Visa, Holden and Boeing are just some of the Australian-based companies that suffered from Zotob infections this week. In the UK, the Financial Times was hit.
As part of its monthly patching cycle, Microsoft last Tuesday released a number of security updates, including the now infamous MS05-039, which fixed a critical vulnerability in Windows 2000. Within days, exploit code was being distributed and on Sunday the first Zotob worm was discovered in the wild.
Talkback
It was also a slow-moving MS worm. Sapphire used 8.5 minutes to reach saturation. Not to be too tongue in cheek, but the poor design of the worm and its production flaws lend credibility to the folks out there who consider it to be an attempt by MS to generate more sales of newer versions of Windows.
So called anti-virus software can only work against known patterns. They are as big a scam as the actual MS products they purport to protect. Most of those using 2000 can get by quite nicely on non-MS systems, especially since those other systems are fundamentally resistant to malware.