1. /
  2. Security Response/
  3. W32.Spybot.Worm

W32.Spybot.Worm

Risk Level 2: Low

Discovered:
April 16, 2003
Updated:
November 30, 2007 10:19:46 AM
Also Known As:
Win32.Spybot.gen [Computer Associates], Worm.P2P.SpyBot.gen [Kaspersky], W32/Spybot-Fam [Sophos], W32/Spybot.worm.gen [McAfee], WORM_SPYBOT.GEN [Trend]
Type:
Worm
Infection Length:
Varies.
Systems Affected:
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
CVE References:
CVE-2001-0876, CVE-2002-1145, CVE-2003-0109, CVE-2003-0352, CVE-2003-0533, CVE-2003-0717, CVE-2003-0812, CVE-2004-0120, CVE-2005-1983, CVE-2006-2630, CVE-2007-0041, CVE-2008-4250
When W32.Spybot.Worm is executed, it does the following:
  1. Copies itself to the %System% folder. Some variants may have one of the following file names:

    • Bling.exe
    • Netwmon.exe
    • Wuamgrd.exe

      Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. May create and share a folder on the Kazaa file-sharing network, by adding the following registry value:

    "dir0" = "012345:[CONFIGURABLE PATH]"

    to the registry subkey:

    HKEY_CURRENT_USER\SOFTWARE\KAZAA\LocalContent

  3. Copies itself to the configured path as file names that are designed to trick other users into downloading and executing the worm.

  4. May perform Denial of Service attacks on specified servers.

  5. May end security application processes.

  6. Connects to specified IRC servers and joins a channel to receive commands. The commands may include the following:

    • Scan for vulnerable computers
    • Download or upload files
    • List or end running processes
    • Steal cached passwords
    • Log keystrokes to steal information entered into windows with titles containing the following strings:

      • bank
      • login
      • e-bay
      • ebay
      • paypal

    • Start a local HTTP, FTP, or TFTP server
    • Search for files on the compromised computer
    • Capture screenshots, data from the clipboard, and footage from webcams
    • Visit URLs
    • Flush the DNS and ARP caches
    • Open a command shell on the compromised computer
    • Intercept packets on the local area network
    • Send net send messages
    • Copy itself to many hard-coded Windows startup folders, such as the following:

      • Documents and Settings\All Users\Menu Start\Programma's\Opstarten
      • WINDOWS\All Users\Start Menu\Programs\StartUp
      • WINNT\Profiles\All Users\Start Menu\Programs\Startup
      • WINDOWS\Start Menu\Programs\Startup
      • Documenti e Impostazioni\All Users\Start Menu\Programs\Startup
      • Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup
      • Documents and Settings\All Users\Start Menu\Programs\Startup


        Note: Symantec Security Response has received reports of variants of this worm creating zero-byte files in the Startup folder. These files may have file names such as TFTP780 or TFTP###, where # can be any number

  7. Adds a variable registry value to one or more of the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    RunOnce
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    RunServices
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Shell Extensions
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    RunServices
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    RunOnce
    HKEY_CURRENT_USER\Software\Microsoft\OLE


    For example:

    "Microsoft Update" = "wuamgrd.exe"

    or

    "Microsoft Macro Protection Subsystem" = "bling.exe"

  8. May create a random subkey with random values under the following subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE

    For example, it may add the value:

    "{0BCDA1A6641FB859F}" = "bb 75 8e 3b 04 ae 16 5c 7f 68 ef 02 ed f6 0e 26 86 73 e3 30 bd"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\The Silicon Realms Toolworks\Armadillo

  9. May create a random subkey under the following subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID

  10. May modify one of the following values:

    "EnableDCOM" = "Y"
    "EnableDCOM" = "N"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE

    which enables or disables DCOM settings, depending on the command from the attacker.

  11. May modify the value:

    "restrictanonymous" = "1"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    to restrict network access.

  12. May modify the value:

    "Start" = "4"

    in the registry subkeys:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger

    to disable various services.

  13. May modify the values:

    "AutoShareWks" = "0"
    "AutoShareServer" = "0"

    in the registry subkeys:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    lanmanserver\parameters
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    lanmanworkstation\parameters

  14. May modify the value:

    "DoNotAllowXPSP2" = "1"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\
    WindowsUpdate

    to prevent Windows XP SP2 from being installed on the compromised computer.

  15. May modify the value:

    "AUOptions" = "1"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    WindowsUpdate\AutoUpdate


  16. May modify the values:

    "UpdatesDisableNotify" = "1"
    "AntiVirusDisableNotify" = "1"
    "FirewallDisableNotify" = "1"
    "AntiVirusOverride" = "1"
    "FirewallOverride" = "1"

    in the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center

    to disable Microsoft Security Center.

  17. May modify the value:

    "EnableFirewall" = "0"

    in the registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
    DomainProfile
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
    StandardProfile

    to disable the Microsoft Windows XP firewall.

  18. May modify registry entries to disable services:

    For example:

    • wscsvc
    • Tlntsvr
    • RemoteRegistry
    • Messenger

  19. May send confidential information, such as the operating system, IP address, user name, etc., to the IRC server.

  20. May open a back door on a random port.

  21. May create subkeys to register itself as a service.

    For example:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BoolTern
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BOOLTERN

  22. May drop a device driver file named %System%\haxdrv.sys.

  23. May start proxy server for HTTP, SOCKS4, or SMTP protocol.

  24. May port scan the network.

  25. May attempt to connect to MS SQL servers with weak Administrator or SA passwords, and copy itself to the computer if successful. The following passwords could be applied in an attempt to authenticate to the remote server:

    • null
    • Rendszergazda
    • Beheerder
    • amministratore
    • hallintovirkailijat
    • Administrat
    • Administrateur
    • administrador
    • Administrador
    • administrator
    • Administrator
    • ADMINISTRATOR
    • Password
    • password
    • admin
    • 123

  26. May be able to enumerate through accounts on the computer and disable the "SeNetworkLogonRight" Authorization Constant to explicitly deny an account the right to log on using the network log on type.

  27. May attempt to enumerate users in order to copy itself to network shares. The following passwords could be applied in an attempt to authenticate to the remote share:

    • 007
    • 123
    • 1234
    • 12345
    • 123456
    • 1234567
    • 12345678
    • 123456789
    • 1234567890
    • 2000
    • 2001
    • 2002
    • 2003
    • 2004
    • access
    • accounting
    • accounts
    • adm
    • administrador
    • administrat
    • administrateur
    • administrator
    • admins
    • amministratore
    • asd
    • backup
    • beheerder
    • bill
    • bitch
    • blank
    • bob
    • brian
    • changeme
    • chris
    • cisco
    • compaq
    • computer
    • control
    • data
    • database
    • databasepass
    • databasepassword
    • db1
    • db1234
    • db2
    • dba
    • dbpass
    • dbpassword
    • default
    • dell
    • demo
    • domain
    • domainpass
    • domainpassword
    • eric
    • exchange
    • fred
    • fuck
    • george
    • god
    • guest
    • hallintovirikailijat
    • hell
    • hello
    • home
    • homeuser
    • ian
    • ibm
    • internet
    • intranet
    • jen
    • joe
    • john
    • kate
    • katie
    • lan
    • lee
    • linux
    • login
    • loginpass
    • luke
    • mail
    • main
    • mary
    • mike
    • neil
    • nokia
    • none
    • null
    • oem
    • oeminstall
    • oemuser
    • office
    • oracle
    • orainstall
    • outlook
    • owner
    • pass
    • pass1234
    • passwd
    • password
    • password1
    • peter
    • pwd
    • qaz
    • qwe
    • qwerty
    • rendszergazda
    • sam
    • server
    • sex
    • siemens
    • slut
    • sql
    • sqlpassoainstall
    • staff
    • student
    • sue
    • susan
    • system
    • teacher
    • technical
    • test
    • unix
    • user
    • web
    • win2000
    • win2k
    • win98
    • windows
    • winnt
    • winpass
    • winxp
    • www
    • wwwadmin
    • zxc

      Note: This step may result in user accounts being locked out due to multiple failed authentication attempts.

  28. May spread by exploiting the following vulnerabilities:

  29. May download and execute remote files, including updates of the worm.

  30. May check if it is running under the context of a debugger or VMWare. The worm terminates immediately if this is the case.

  31. May drop Hacktool.Rootkit to hide the worm from the process list and register the hacktool as a service.

    For example it may drop rdriv.sys and create the following subkeys:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdriv
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_RDRIV

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Douglas Knowles
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver