1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: W32.Spybot.Worm Activity

System Infected: W32.Spybot.Worm Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects traffic generated by W32.Spybot.Worm which could lead to further infection of the affected system

Additional Information

When W32.Spybot.Worm is executed, it does the following:
Copies itself to the %System% folder. Some variants may have one of the following file names:

Bling.exe
Netwmon.exe
Wuamgrd.exe

Note: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

May create and share a folder on the Kazaa file-sharing network, by adding the following registry value:

"dir0" = "012345:[CONFIGURABLE PATH]"

to the registry subkey:

HKEY_CURRENT_USER\SOFTWARE\KAZAA\LocalContent

Copies itself to the configured path as file names that are designed to trick other users into downloading and executing the worm.

May perform Denial of Service attacks on specified servers.

May end security application processes.

Connects to specified IRC servers and joins a channel to receive commands. The commands may include the following:

Scan for vulnerable computers
Download or upload files
List or end running processes
Steal cached passwords
Log keystrokes to steal information entered into windows with titles containing the following strings:

bank
login
e-bay
ebay
paypal

Start a local HTTP, FTP, or TFTP server
Search for files on the compromised computer
Capture screenshots, data from the clipboard, and footage from webcams
Visit URLs
Flush the DNS and ARP caches
Open a command shell on the compromised computer
Intercept packets on the local area network
Send net send messages
Copy itself to many hard-coded Windows startup folders, such as the following:

Documents and Settings\All Users\Menu Start\Programma's\Opstarten
WINDOWS\All Users\Start Menu\Programs\StartUp
WINNT\Profiles\All Users\Start Menu\Programs\Startup
WINDOWS\Start Menu\Programs\Startup
Documenti e Impostazioni\All Users\Start Menu\Programs\Startup
Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup
Documents and Settings\All Users\Start Menu\Programs\Startup


Note: Symantec Security Response has received reports of variants of this worm creating zero-byte files in the Startup folder. These files may have file names such as TFTP780 or TFTP###, where # can be any number

Adds a variable registry value to one or more of the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Shell Extensions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_CURRENT_USER\Software\Microsoft\OLE


For example:

"Microsoft Update" = "wuamgrd.exe"

or

"Microsoft Macro Protection Subsystem" = "bling.exe"

May create a random subkey with random values under the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE

For example, it may add the value:

"{0BCDA1A6641FB859F}" = "bb 75 8e 3b 04 ae 16 5c 7f 68 ef 02 ed f6 0e 26 86 73 e3 30 bd"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\The Silicon Realms Toolworks\Armadillo

May create a random subkey under the following subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID

May modify one of the following values:

"EnableDCOM" = "Y"
"EnableDCOM" = "N"

in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE

which enables or disables DCOM settings, depending on the command from the attacker.

May modify the value:

"restrictanonymous" = "1"

in the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

to restrict network access.

May modify the value:

"Start" = "4"

in the registry subkeys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger

to disable various services.

May modify the values:

"AutoShareWks" = "0"
"AutoShareServer" = "0"

in the registry subkeys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
lanmanserver\parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
lanmanworkstation\parameters

May modify the value:

"DoNotAllowXPSP2" = "1"

in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\
WindowsUpdate

to prevent Windows XP SP2 from being installed on the compromised computer.

May modify the value:

"AUOptions" = "1"

in the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
WindowsUpdate\AutoUpdate


May modify the values:

"UpdatesDisableNotify" = "1"
"AntiVirusDisableNotify" = "1"
"FirewallDisableNotify" = "1"
"AntiVirusOverride" = "1"
"FirewallOverride" = "1"

in the following registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center

to disable Microsoft Security Center.

May modify the value:

"EnableFirewall" = "0"

in the registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
DomainProfile
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\
StandardProfile

to disable the Microsoft Windows XP firewall.

May modify registry entries to disable services:

For example:

wscsvc
Tlntsvr
RemoteRegistry
Messenger

May send confidential information, such as the operating system, IP address, user name, etc., to the IRC server.

May open a back door on a random port.

May create subkeys to register itself as a service.

For example:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BoolTern
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BOOLTERN

May drop a device driver file named %System%\haxdrv.sys.

May start proxy server for HTTP, SOCKS4, or SMTP protocol.

May port scan the network.

May attempt to connect to MS SQL servers with weak Administrator or SA passwords, and copy itself to the computer if successful. The following passwords could be applied in an attempt to authenticate to the remote server:

null
Rendszergazda
Beheerder
amministratore
hallintovirkailijat
Administrat
Administrateur
administrador
Administrador
administrator
Administrator
ADMINISTRATOR
Password
password
admin
123

May be able to enumerate through accounts on the computer and disable the "SeNetworkLogonRight" Authorization Constant to explicitly deny an account the right to log on using the network log on type.

May attempt to enumerate users in order to copy itself to network shares. The following passwords could be applied in an attempt to authenticate to the remote share:

007
123
1234
12345
123456
1234567
12345678
123456789
1234567890
2000
2001
2002
2003
2004
access
accounting
accounts
adm
administrador
administrat
administrateur
administrator
admins
amministratore
asd
backup
beheerder
bill
bitch
blank
bob
brian
changeme
chris
cisco
compaq
computer
control
data
database
databasepass
databasepassword
db1
db1234
db2
dba
dbpass
dbpassword
default
dell
demo
domain
domainpass
domainpassword
eric
exchange
fred
fuck
george
god
guest
hallintovirikailijat
hell
hello
home
homeuser
ian
ibm
internet
intranet
jen
joe
john
kate
katie
lan
lee
linux
login
loginpass
luke
mail
main
mary
mike
neil
nokia
none
null
oem
oeminstall
oemuser
office
oracle
orainstall
outlook
owner
pass
pass1234
passwd
password
password1
peter
pwd
qaz
qwe
qwerty
rendszergazda
sam
server
sex
siemens
slut
sql
sqlpassoainstall
staff
student
sue
susan
system
teacher
technical
test
unix
user
web
win2000
win2k
win98
windows
winnt
winpass
winxp
www
wwwadmin
zxc

Note: This step may result in user accounts being locked out due to multiple failed authentication attempts.

May spread by exploiting the following vulnerabilities:

The DCOM RPC Vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The LSASS vulnerability (described in Microsoft Security Bulletin MS04-011) using TCP ports 135, 139 or 445.
The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061) using UDP port 1434.
The WebDav Vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
The UPnP NOTIFY Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS01-059).
The Workstation Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if the patch in Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply the patch in Microsoft Security Bulletin MS03-049.
The Microsoft Windows SSL Library Denial of Service Vulnerability (described in Microsoft Security Bulletin MS04-011).
The VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability (as described here).
The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039).
The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS06-040).
Symantec Client Security and Symantec AntiVirus Elevation of privilege (as described in Symantec Advisory SYM06-010).
Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874)


May download and execute remote files, including updates of the worm.

May check if it is running under the context of a debugger or VMWare. The worm terminates immediately if this is the case.

May drop Hacktool.Rootkit to hide the worm from the process list and register the hacktool as a service.

For example it may drop rdriv.sys and create the following subkeys:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdriv
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_RDRIV

Affected

  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube