W32.Spybot.Worm

Printer Friendly Page

Discovered: April 16, 2003
Updated: November 30, 2007 10:19:46 AM
Also Known As: Win32.Spybot.gen [Computer Associates], Worm.P2P.SpyBot.gen [Kaspersky], W32/Spybot-Fam [Sophos], W32/Spybot.worm.gen [McAfee], WORM_SPYBOT.GEN [Trend]
Type: Worm
Infection Length: Varies.
Systems Affected: Windows
CVE References: CVE-2003-0533 | CVE-2003-0352 | CVE-2004-0120 | CVE-2007-0041 | CVE-2003-0717 | CVE-2003-0109 | CVE-2006-2630 | CVE-2005-1983 | CVE-2008-4250 | CVE-2001-0876 | CVE-2003-0812 | CVE-2002-1145

W32.Spybot.Worm is a detection for a family of worms that spreads using the Kazaa file-sharing network and mIRC. This worm can also spread to computers that are compromised by common back door Trojan horses and on network shares protected by weak passwords.

W32.Spybot.Worm can perform various actions by connecting to a configurable IRC server and joining a specific channel to listen for instructions. Newer variants may also spread by exploiting the following vulnerabilities:

  • Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (BID 8205) using TCP port 135.
  • Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108).
  • Microsoft SQL Server 2000 or MSDE 2000 audit (BID 5980) using UDP port 1434.
  • Microsoft Windows WebDAV Buffer Overflow Vulnerability (BID 7116) using TCP port 80.
  • Microsoft UPnP NOTIFY Buffer Overflow Vulnerability (BID 3723).
  • Microsoft Workstation Service Buffer Overrun Vulnerability (BID 9011) using TCP port 445.
    Windows XP users are protected against this vulnerability if the patch in Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply the patch in Microsoft Security Bulletin MS03-049.
  • Microsoft Windows SSL Library Denial of Service Vulnerability (BID 10115).
  • VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability (BID 11974).
  • Microsoft Windows Plug and Play Buffer Overflow Vulnerability (BID 14513).
  • Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874).
  • Microsoft .NET Framework PE Loader Remote Buffer Overflow Vulnerability (BID 24778)
  • Symantec Client Security and Symantec AntiVirus Elevation of Privilege (BID 18107).

    Notes:
  • Recent variants of the Spybot worm family exploit several known vulnerabilities, including a SAV 10/SCS 3 vulnerability (SYM06-010), reported in May 2006. A patch for this vulnerability was made available at that time. Symantec highly recommends that users of the affected products patch their systems as soon as they are able to help avoid the spread of this particular Sybot worm family. If systems are infected with any Spybot variant and this security patch has not been applied please read the document, Attempting to migrate from 10.x to a newer version fails after becoming infected with a worm which exploits SYM06-010.
  • IPS signatures against all known and unknown exploits of SYM06-010 were released on May 26, 2006.
  • Excessive network traffic caused by an infection may result in a significant degradation of network performance.
  • Please note that this detection is modified on a daily basis and as such it is recommended that virus definitions be updated frequently.

Antivirus Protection Dates

  • Initial Rapid Release version April 16, 2003
  • Latest Rapid Release version June 22, 2018 revision 004
  • Initial Daily Certified version April 16, 2003
  • Latest Daily Certified version June 21, 2018 revision 021
  • Initial Weekly Certified release date April 16, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Douglas Knowles

Discovered: April 16, 2003
Updated: November 30, 2007 10:19:46 AM
Also Known As: Win32.Spybot.gen [Computer Associates], Worm.P2P.SpyBot.gen [Kaspersky], W32/Spybot-Fam [Sophos], W32/Spybot.worm.gen [McAfee], WORM_SPYBOT.GEN [Trend]
Type: Worm
Infection Length: Varies.
Systems Affected: Windows
CVE References: CVE-2003-0533 | CVE-2003-0352 | CVE-2004-0120 | CVE-2007-0041 | CVE-2003-0717 | CVE-2003-0109 | CVE-2006-2630 | CVE-2005-1983 | CVE-2008-4250 | CVE-2001-0876 | CVE-2003-0812 | CVE-2002-1145

When W32.Spybot.Worm is executed, it does the following:

  1. Copies itself to the %System% folder. Some variants may have one of the following file names:

    • Bling.exe
    • Netwmon.exe
    • Wuamgrd.exe

      Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  2. May create and share a folder on the Kazaa file-sharing network, by adding the following registry value:

    "dir0" = "012345:[CONFIGURABLE PATH]"

    to the registry subkey:

    HKEY_CURRENT_USER\SOFTWARE\KAZAA\LocalContent

  3. Copies itself to the configured path as file names that are designed to trick other users into downloading and executing the worm.

  4. May perform Denial of Service attacks on specified servers.

  5. May end security application processes.

  6. Connects to specified IRC servers and joins a channel to receive commands. The commands may include the following:

    • Scan for vulnerable computers
    • Download or upload files
    • List or end running processes
    • Steal cached passwords
    • Log keystrokes to steal information entered into windows with titles containing the following strings:

      • bank
      • login
      • e-bay
      • ebay
      • paypal

    • Start a local HTTP, FTP, or TFTP server
    • Search for files on the compromised computer
    • Capture screenshots, data from the clipboard, and footage from webcams
    • Visit URLs
    • Flush the DNS and ARP caches
    • Open a command shell on the compromised computer
    • Intercept packets on the local area network
    • Send net send messages
    • Copy itself to many hard-coded Windows startup folders, such as the following:

      • Documents and Settings\All Users\Menu Start\Programma's\Opstarten
      • WINDOWS\All Users\Start Menu\Programs\StartUp
      • WINNT\Profiles\All Users\Start Menu\Programs\Startup
      • WINDOWS\Start Menu\Programs\Startup
      • Documenti e Impostazioni\All Users\Start Menu\Programs\Startup
      • Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup
      • Documents and Settings\All Users\Start Menu\Programs\Startup


        Note: Symantec Security Response has received reports of variants of this worm creating zero-byte files in the Startup folder. These files may have file names such as TFTP780 or TFTP###, where # can be any number

  7. Adds a variable registry value to one or more of the following registry subkeys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    RunOnce
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    RunServices
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Shell Extensions
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    RunServices
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    RunOnce
    HKEY_CURRENT_USER\Software\Microsoft\OLE


    For example:

    "Microsoft Update" = "wuamgrd.exe"

    or

    "Microsoft Macro Protection Subsystem" = "bling.exe"

  8. May create a random subkey with random values under the following subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE

    For example, it may add the value:

    "{0BCDA1A6641FB859F}" = "bb 75 8e 3b 04 ae 16 5c 7f 68 ef 02 ed f6 0e 26 86 73 e3 30 bd"

    to the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\The Silicon Realms Toolworks\Armadillo

  9. May create a random subkey under the following subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID

  10. May modify one of the following values:

    "EnableDCOM" = "Y"
    "EnableDCOM" = "N"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE

    which enables or disables DCOM settings, depending on the command from the attacker.

  11. May modify the value:

    "restrictanonymous" = "1"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    to restrict network access.

  12. May modify the value:

    "Start" = "4"

    in the registry subkeys:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger

    to disable various services.

  13. May modify the values:

    "AutoShareWks" = "0"
    "AutoShareServer" = "0"

    in the registry subkeys:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    lanmanserver\parameters
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    lanmanworkstation\parameters

  14. May modify the value:

    "DoNotAllowXPSP2" = "1"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\
    WindowsUpdate

    to prevent Windows XP SP2 from being installed on the compromised computer.

  15. May modify the value:

    "AUOptions" = "1"

    in the registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    WindowsUpdate\AutoUpdate


  16. May modify the values:

    "UpdatesDisableNotify" = "1"
    "AntiVirusDisableNotify" = "1"
    "FirewallDisableNotify" = "1"
    "AntiVirusOverride" = "1"
    "FirewallOverride" = "1"

    in the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center

    to disable Microsoft Security Center.

  17. May modify the value:

    "EnableFirewall" = "0"

    in the registry keys:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
    DomainProfile
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
    StandardProfile

    to disable the Microsoft Windows XP firewall.

  18. May modify registry entries to disable services:

    For example:

    • wscsvc
    • Tlntsvr
    • RemoteRegistry
    • Messenger

  19. May send confidential information, such as the operating system, IP address, user name, etc., to the IRC server.

  20. May open a back door on a random port.

  21. May create subkeys to register itself as a service.

    For example:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BoolTern
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BOOLTERN

  22. May drop a device driver file named %System%\haxdrv.sys.

  23. May start proxy server for HTTP, SOCKS4, or SMTP protocol.

  24. May port scan the network.

  25. May attempt to connect to MS SQL servers with weak Administrator or SA passwords, and copy itself to the computer if successful. The following passwords could be applied in an attempt to authenticate to the remote server:

    • null
    • Rendszergazda
    • Beheerder
    • amministratore
    • hallintovirkailijat
    • Administrat
    • Administrateur
    • administrador
    • Administrador
    • administrator
    • Administrator
    • ADMINISTRATOR
    • Password
    • password
    • admin
    • 123

  26. May be able to enumerate through accounts on the computer and disable the "SeNetworkLogonRight" Authorization Constant to explicitly deny an account the right to log on using the network log on type.

  27. May attempt to enumerate users in order to copy itself to network shares. The following passwords could be applied in an attempt to authenticate to the remote share:

    • 007
    • 123
    • 1234
    • 12345
    • 123456
    • 1234567
    • 12345678
    • 123456789
    • 1234567890
    • 2000
    • 2001
    • 2002
    • 2003
    • 2004
    • access
    • accounting
    • accounts
    • adm
    • administrador
    • administrat
    • administrateur
    • administrator
    • admins
    • amministratore
    • asd
    • backup
    • beheerder
    • bill
    • bitch
    • blank
    • bob
    • brian
    • changeme
    • chris
    • cisco
    • compaq
    • computer
    • control
    • data
    • database
    • databasepass
    • databasepassword
    • db1
    • db1234
    • db2
    • dba
    • dbpass
    • dbpassword
    • default
    • dell
    • demo
    • domain
    • domainpass
    • domainpassword
    • eric
    • exchange
    • fred
    • fuck
    • george
    • god
    • guest
    • hallintovirikailijat
    • hell
    • hello
    • home
    • homeuser
    • ian
    • ibm
    • internet
    • intranet
    • jen
    • joe
    • john
    • kate
    • katie
    • lan
    • lee
    • linux
    • login
    • loginpass
    • luke
    • mail
    • main
    • mary
    • mike
    • neil
    • nokia
    • none
    • null
    • oem
    • oeminstall
    • oemuser
    • office
    • oracle
    • orainstall
    • outlook
    • owner
    • pass
    • pass1234
    • passwd
    • password
    • password1
    • peter
    • pwd
    • qaz
    • qwe
    • qwerty
    • rendszergazda
    • sam
    • server
    • sex
    • siemens
    • slut
    • sql
    • sqlpassoainstall
    • staff
    • student
    • sue
    • susan
    • system
    • teacher
    • technical
    • test
    • unix
    • user
    • web
    • win2000
    • win2k
    • win98
    • windows
    • winnt
    • winpass
    • winxp
    • www
    • wwwadmin
    • zxc

      Note: This step may result in user accounts being locked out due to multiple failed authentication attempts.

  28. May spread by exploiting the following vulnerabilities:

  29. May download and execute remote files, including updates of the worm.

  30. May check if it is running under the context of a debugger or VMWare. The worm terminates immediately if this is the case.

  31. May drop Hacktool.Rootkit to hide the worm from the process list and register the hacktool as a service.

    For example it may drop rdriv.sys and create the following subkeys:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdriv
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_RDRIV

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Douglas Knowles

Discovered: April 16, 2003
Updated: November 30, 2007 10:19:46 AM
Also Known As: Win32.Spybot.gen [Computer Associates], Worm.P2P.SpyBot.gen [Kaspersky], W32/Spybot-Fam [Sophos], W32/Spybot.worm.gen [McAfee], WORM_SPYBOT.GEN [Trend]
Type: Worm
Infection Length: Varies.
Systems Affected: Windows
CVE References: CVE-2003-0533 | CVE-2003-0352 | CVE-2004-0120 | CVE-2007-0041 | CVE-2003-0717 | CVE-2003-0109 | CVE-2006-2630 | CVE-2005-1983 | CVE-2008-4250 | CVE-2001-0876 | CVE-2003-0812 | CVE-2002-1145

You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.



FOR NORTON USERS
If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool


If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


How to reduce the risk of infection
The following resources provide further information and best practices to help reduce the risk of infection.


FOR BUSINESS USERS
If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.


Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .


How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network



MANUAL REMOVAL
The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product


2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Writeup By: Douglas Knowles