1. /
  2. Security Response/
  3. W32.Spybot.Worm

W32.Spybot.Worm

Risk Level 2: Low

Discovered:
April 16, 2003
Updated:
November 30, 2007 10:19:46 AM
Also Known As:
Win32.Spybot.gen [Computer Associates], Worm.P2P.SpyBot.gen [Kaspersky], W32/Spybot-Fam [Sophos], W32/Spybot.worm.gen [McAfee], WORM_SPYBOT.GEN [Trend]
Type:
Worm
Infection Length:
Varies.
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
CVE References:
CVE-2001-0876, CVE-2002-1145, CVE-2003-0109, CVE-2003-0352, CVE-2003-0533, CVE-2003-0717, CVE-2003-0812, CVE-2004-0120, CVE-2005-1983, CVE-2006-2630, CVE-2007-0041, CVE-2008-4250
W32.Spybot.Worm is a detection for a family of worms that spreads using the Kazaa file-sharing network and mIRC. This worm can also spread to computers that are compromised by common back door Trojan horses and on network shares protected by weak passwords.

W32.Spybot.Worm can perform various actions by connecting to a configurable IRC server and joining a specific channel to listen for instructions. Newer variants may also spread by exploiting the following vulnerabilities:

  • Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205) using TCP port 135.
  • Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108).
  • Microsoft SQL Server 2000 or MSDE 2000 audit (BID 5980) using UDP port 1434.
  • Microsoft Windows WebDAV Buffer Overflow Vulnerability (BID 7116) using TCP port 80.
  • Microsoft UPnP NOTIFY Buffer Overflow Vulnerability (BID 3723).
  • Microsoft Workstation Service Buffer Overrun Vulnerability (BID 9011) using TCP port 445.
    Windows XP users are protected against this vulnerability if the patch in Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply the patch in Microsoft Security Bulletin MS03-049.
  • Microsoft Windows SSL Library Denial of Service Vulnerability (BID 10115).
  • VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability (BID 11974).
  • Microsoft Windows Plug and Play Buffer Overflow Vulnerability (BID 14513).
  • Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).
  • Microsoft .NET Framework PE Loader Remote Buffer Overflow Vulnerability (BID 24778)
  • Symantec Client Security and Symantec AntiVirus Elevation of Privilege (BID 18107).

    Notes:
  • Recent variants of the Spybot worm family exploit several known vulnerabilities, including a SAV 10/SCS 3 vulnerability (SYM06-010), reported in May 2006. A patch for this vulnerability was made available at that time. Symantec highly recommends that users of the affected products patch their systems as soon as they are able to help avoid the spread of this particular Sybot worm family. If systems are infected with any Spybot variant and this security patch has not been applied please read the document, Attempting to migrate from 10.x to a newer version fails after becoming infected with a worm which exploits SYM06-010.
  • IPS signatures against all known and unknown exploits of SYM06-010 were released on May 26, 2006.
  • Excessive network traffic caused by an infection may result in a significant degradation of network performance.
  • Please note that this detection is modified on a daily basis and as such it is recommended that virus definitions be updated frequently.

Antivirus Protection Dates

  • Initial Rapid Release version April 16, 2003
  • Latest Rapid Release version October 21, 2014 revision 021
  • Initial Daily Certified version April 16, 2003
  • Latest Daily Certified version October 24, 2014 revision 002
  • Initial Weekly Certified release date April 16, 2003
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: Low
  • Number of Infections: 0 - 49
  • Number of Sites: 0 - 2
  • Geographical Distribution: Medium
  • Threat Containment: Easy
  • Removal: Moderate

Damage

  • Damage Level: Medium
  • Releases Confidential Info: Sends personal data to an IRC channel.
  • Compromises Security Settings: Allows unauthorized commands to be executed on a compromised computer.

Distribution

  • Distribution Level: High
  • Shared Drives: Spreads using the KaZaA file-sharing network, as well as through mIRC.
  • Target of Infection: Remotely exploitable vulnerabilities.
Writeup By: Douglas Knowles

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver