In order to help users better understand the relatively recent network worm named W32.Spybot.ANDM, Symantec Security Response is providing a summary of the issues as well as additional information that may be useful in helping users mitigate the threat.

The first signs of the W32.Spybot.ANDM network worm were seen in-the-wild on December 22, 2006. The worm modifies various registry keys to make itself execute upon system startup. It also opens a backdoor via an mIRC channel. The backdoor accepts various remote commands, including capturing keystrokes, downloading files and stopping various security services. The worm propagates via mIRC, network shares with weak passwords and the following known vulnerabilities:

SecurityFocus RealVNC Remote Authentication Bypass Vulnerability
http://www.securityfocus.com/bid/17978

SecurityFocus Microsoft Windows LSASS Buffer Overrun Vulnerability
http://www.securityfocus.com/bid/10108

SecurityFocus Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability
http://www.securityfocus.com/bid/8205

SecurityFocus Microsoft SQL Server 2000 or MSDE 2000 Audit
http://www.securityfocus.com/bid/5980

SecurityFocus Microsoft ASN.1 Library Multiple Stack-Based Buffer Overflow Vulnerabilities
http://www.securityfocus.com/bid/9743

SecurityFocus Symantec Client Security and Symantec AntiVirus Elevation of privilege
http://www.securityfocus.com/bid/18107

Symantec Security Response strongly recommends reviewing the patch levels of the relevant software on all desktop and server systems to ensure the vulnerabilities listed above have been patched. Organizations are also encouraged to follow safe practices for password assignment and usage, using complex passwords whenever possible.

This particular worm generates large amounts of network traffic, which may result in network performance degradation. Another sign of possible system infection is the existence of a file named "a.bat" in the root directory of drive C: and "1.reg" in the temporary directory. These files are automatically created and deleted by the worm, but may exist on an infected system.

Likely sources of infections are uncontrolled systems physically entering a network, such as laptops, and direct infections of systems within networks not protected by perimeter firewalls. Most large organizations protect their internal networks with a strong perimeter firewall. Many smaller organizations, unfortunately, do not always use perimeter firewalls, thus leaving all systems on their networks open to possible attack. Industry-standard best practices for security encourage the use of perimeter firewalls for general network protection.

More detailed information on this threat can be found on the Symantec Security Response web site at

http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-010316-2308-99

At this point in time, Symantec Security Response rates this worm to be of low severity, carrying a current rating of CAT 2 (out of a possible 5).

Symantec Security Response has analyzed the threat and has provided protection for it via LiveUpdate and Intelligent Updater. The latest antivirus (AV) definitions will detect all known variants of the W32.Spybot.ANDM worm and repair related infections. IPS signatures are also available for Symantec Client Security and Symantec Network Security 7100 series and versions 4.0 and later.

To reduce the possibility of being affected by W32.Spybot.ANDM, Symantec Security Response advises users to do the following:

1. Keep antivirus and IPS detection signatures updated.
2. Regularly run Windows Update and install the latest security updates to keep software up to date.
3. Use a security solution that contains antivirus and client firewall technologies, such as Symantec Client Security, to protect against today's known and tomorrow's unknown threats.
4. Install and maintain a perimeter firewall to protect the entire internal network. Be sure to use permit by exception rules on the firewall.
5. Check all external systems for security compliancy before permitting any connectivity to an internal network.

If you own Symantec Client Security or Symantec AntiVirus, Live Update will automatically install the latest virus definitions and intrusion prevention security updates.
Update Virus Definitions

We will closely monitor further information related to this threat, and will provide updates and security content as necessary. For more information, please click on the links below.