McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• BKDR_SPYBOT (Trend)

• TROJ_SPYBOT (Trend)

• W32.Spybot.worm (NAV)

• WORM_RPCSDBOT (Trend)

• WORM_SPYBOT (Trend)

Characteristics

--Update  November 17, 2009--

Upon execution the Worm drops its copy into the below mentioned location and deletes itself,

• %Windir%\system\ smsc.exe

Drops another file in the following location.

• % WinDir%\System32\drivers\sysdrv32.sys

The following registry keys have been added to the system

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SVCWINSPOOL
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SVCWINSPOOL
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSDRV32
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSDRV32\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSDRV32\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32\Enum

The Worm creates the run entry whihc will be used to execute the Worm after rebooting the system.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "WSSVC"="%Windir%\system\smsc.exe"

The sysdrv32.sys file is installed on the victim machine, with the following registry entry

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32]
• "Type"="0x00000001"
• "Start"="0x00000003"
• "ErrorControl"="0x00000001"
• "ImagePath"="%System%\drivers\sysdrv32.sys"
• "DisplayName"="Play Port I/O Driver"
• "Group"="SST wanport drivers"

Smsc.exe changes the firewall settings by registering as a legitimate process through the following registry entry

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
  "C:\WINDOWS\system\smsc.exe:"="C:\WINDOWS\system\smsc.exe:*:Enabled:smsc"
  

--Update  July 10, 2009--

Some variants have exhibited the following unique characteristics:

Upon execution, the following registry keys have been added:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VMWARESERVICE
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMwareService
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VMwareService

The following value data/value pairs are modified:

• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "History"
  New data: %Root%\Documents and Settings\LocalService\Local Settings\History
• HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cache"
  New data: %Root%\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
• HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cookies"
  New data: %Root%\Documents and Settings\LocalService\Cookies
• HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "History"
  New data: %Root%\Documents and Settings\LocalService\Local Settings\History
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cache"
  New data: %Root%\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cookies"
  New data: %Root%\Documents and Settings\LocalService\Cookies
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "History"
  New data: %Root%\Documents and Settings\LocalService\Local Settings\History
  

(where %Root%  is the root of the drive. For example: C:\)

The following value is added to assist autorun capabilities:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VMwareService "ImagePath"
  Data: "%WinDir%\system\VMwareService.exe"

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Hosts that become infected will have the following files added:

• %Root%\[Random]\RECYCLER\[Random]\autorunme.exe
• %Root%\autorun.inf

(Where %Root% is the root of the drive. For example C:\)

The following file is also added:

• %WinDir%\system\VMwareService.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

This variant may also attempt to contact the following addresses:

• 1.h8[removed].in

-- Update September 25, 2008 --

Upon execution, the new variant copies itself to the following folder:

• %WinDir%\system32\drivers\lsass.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It modifies the following files:

• %WinDir%\system32\ftp.exe
• %WinDir%\system32\sfc_os.dll(identified as PatchedSFC trojan)

to disable ftp functionality.

It stores the orignal sfc_os.dll to the following folder:

• %WinDir%\system32\trashD1CE92(file name may be random)

It hooks system startup by adding the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe: "%WinDir%\system32\drivers\lsass.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe %WINDIR%\system32\drivers\lsass.exe"

It also creates or modifies the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan: 0x0000000
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT\DontReportInfectionInformation: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall: 0x00000000
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters\AutoShareWks: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters\AutoShareServer: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation\parameters\AutoShareWks: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation\parameters\AutoShareServer: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start: 0x00000004
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareWks: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareServer: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\AutoShareWks: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\AutoShareServer: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0x00000004
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: 0x00000001
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable: 0xFFFFFF9D
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WaitToKillServiceTimeout: "7000"
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous: 0x00000001
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Messenger\Start: 0x00000004
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteRegistry\Start: 0x00000004
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr\Start: 0x00000004
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WaitToKillServiceTimeout: "7000"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous: 0x00000001
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Start: 0x00000004
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Start: 0x00000004
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start: 0x00000004

It attempts to connect with the following IRC server:

• www.worldcasino.to
• mail.fucuzzy
• mail.TIKTIKZ

-- Update November 1, 2006 --

Recent variants of this threat were found to be connecting to the following site(s):

• dl1.debe(hidden)zombi.com     canonical name = mildred.debe(hidden)zombi.com.
  Name:   mildred.debe(hidden)zombi.com
  Address: 69.60.xx.xx
  
• xv21.debe(hidden)zombi.com    canonical name = vps2.debe(hidden)zombi.com.
  Name:   vps2.debe(hidden)zombi.com
  Address: 69.60.xx.xx

These variants download a copy of Downloader-ATI, and could be actively scanning for hosts vulnerable to MS06-040 like the earlier variants.

-- Update September 1, 2006 --
There are several variants of this threat.  Certain details may vary per variant.  The 4843 DAT files identify sample with hash MD5:0xa602476c365e6e2ac37321503b7e66ee as W32/Spybot.worm.gen.o.  The previous DAT detected this variant as W32/Spybot.worm.gen.p.

It is imperative for systems to have the MS06-040 patch applied.

-- Update March 05, 2004 --
This family of worms has more then 1,000 variants now! Majority of variants are proactively detected. For maximum protection users are recommended to:

• use the latest engine/DAT combination
• ensure the scanning of compressed files is enabled

--

---- Update January 22, 2004 --
This family of worms has more then 800 variants now and is a record holder as a biggest ever family of worms. --

-- Update October 28, 2003 --
Number of variants reached about 500 variants. Nearly all new variants were proactively detected. 
--

-- Update May 16, 2003 --
This family of worms is expanding extremely rapidly (89 variants currently) and new variants are constantly being covered by our generic detection. For up-to-date protection from the latest variants you need to use the latest DATs.
--

This family is quite big and there are as many as 55 different variants belonging to it. Some are encoded using FSG packer for PE executables.

All members of this worm family have a capability to record keystrokes into a text file. This text file can be then transmitted via IRC protocol to the attacker. The information about pressed keystrokes is saved in the following form:

[F12][ESC][Insert][Down][Up][TAB]...

The worm can also accept remote commands and participate in, for example, a denial-of-service flood attack on a Web site.

Some variants include backdoor capabilities (remote cmd.exe, list files, retrieve files, keylog etc.), port redirection, the ablity to circumvent antivirus and firewalls and can spread using kazaa, kuang2 (port 17300) and sub7 (port 27347).

Symptoms

--Update  November 17, 2009--

• Presence of above mentioned file and registry keys.
• It tries to connect remote sites through TCP port

----

Many identical files of the same size with funny names (like "xqmrgnf.exe" or "ounakfg.scr"). Frequently one of the copies is called "porn.exe". Some variants also drop files with sensible names like "AVP_Crack.exe" or "zonealarm_pro_crack.exe".

• Presence of a short text file in the Windows folder (frequently -"keylog.txt" but other names also observed) that holds records like:

      [23:Apr:2003, 20:11:34] Keylogger Started
      ...
      [24:Apr:2003, 09:48:22] Keylogger Started
      ...

A possible indication of infection is outbound traffic directed to port 17300 or 27374 tipically in the form of many probes sent to consecutive IPs like:

• FROM: local network host TO: 12.34.56.78:17300
• FROM: local network host TO: 12.34.56.79:17300
• FROM: local network host TO: 12.34.56.80:17300
• FROM: local network host TO: 12.34.56.81:17300
• FROM: local network host TO: 12.34.56.82:17300
• ....

 

Method of Infection

-Update  November 17, 2009--

The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

-----

The worm copies itself around and into the folder defined by "Kazaa\localcontent" registry key and into "kazaabackupfiles" subdirectory. Some copies may have enticing names (like "porn.exe", "Matrix Screensaver 1.5.scr", "Smart Ripper v2.7.exe", etc.) so other people may download the worm through P2P file sharing program. Once the downloaded copy of the worm is executed the cycle repeats itself.
Some variants can scan subnets for systems already infected by sub7 or kuang2 to spread furhter.

Removal

All Users :
Use specified engine and DAT files for detection and removal.

If you are using P2P software (Kazaa, Gnotella, Bearshare, Morpheus, eDonkey, eMule, etc.) be very careful with downloaded executable files.

Please make sure that scanning of compressed files is enabled. Always scan downloaded files with the latest DATs in program heuristic mode.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• BKDR_SPYBOT (Trend)

• TROJ_SPYBOT (Trend)

• W32.Spybot.worm (NAV)

• WORM_RPCSDBOT (Trend)

• WORM_SPYBOT (Trend)

Characteristics

Characteristics -

--Update  November 17, 2009--

Upon execution the Worm drops its copy into the below mentioned location and deletes itself,

• %Windir%\system\ smsc.exe

Drops another file in the following location.

• % WinDir%\System32\drivers\sysdrv32.sys

The following registry keys have been added to the system

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SVCWINSPOOL
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SVCWINSPOOL
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSDRV32
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSDRV32\0000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SYSDRV32\0000\Control
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32\Security
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32\Enum

The Worm creates the run entry whihc will be used to execute the Worm after rebooting the system.

• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "WSSVC"="%Windir%\system\smsc.exe"

The sysdrv32.sys file is installed on the victim machine, with the following registry entry

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysdrv32]
• "Type"="0x00000001"
• "Start"="0x00000003"
• "ErrorControl"="0x00000001"
• "ImagePath"="%System%\drivers\sysdrv32.sys"
• "DisplayName"="Play Port I/O Driver"
• "Group"="SST wanport drivers"

Smsc.exe changes the firewall settings by registering as a legitimate process through the following registry entry

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
  "C:\WINDOWS\system\smsc.exe:"="C:\WINDOWS\system\smsc.exe:*:Enabled:smsc"
  

--Update  July 10, 2009--

Some variants have exhibited the following unique characteristics:

Upon execution, the following registry keys have been added:

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VMWARESERVICE
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VMwareService
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VMwareService

The following value data/value pairs are modified:

• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "History"
  New data: %Root%\Documents and Settings\LocalService\Local Settings\History
• HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cache"
  New data: %Root%\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
• HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cookies"
  New data: %Root%\Documents and Settings\LocalService\Cookies
• HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "History"
  New data: %Root%\Documents and Settings\LocalService\Local Settings\History
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cache"
  New data: %Root%\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "Cookies"
  New data: %Root%\Documents and Settings\LocalService\Cookies
• HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders "History"
  New data: %Root%\Documents and Settings\LocalService\Local Settings\History
  

(where %Root%  is the root of the drive. For example: C:\)

The following value is added to assist autorun capabilities:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VMwareService "ImagePath"
  Data: "%WinDir%\system\VMwareService.exe"

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

Hosts that become infected will have the following files added:

• %Root%\[Random]\RECYCLER\[Random]\autorunme.exe
• %Root%\autorun.inf

(Where %Root% is the root of the drive. For example C:\)

The following file is also added:

• %WinDir%\system\VMwareService.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

This variant may also attempt to contact the following addresses:

• 1.h8[removed].in

-- Update September 25, 2008 --

Upon execution, the new variant copies itself to the following folder:

• %WinDir%\system32\drivers\lsass.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It modifies the following files:

• %WinDir%\system32\ftp.exe
• %WinDir%\system32\sfc_os.dll(identified as PatchedSFC trojan)

to disable ftp functionality.

It stores the orignal sfc_os.dll to the following folder:

• %WinDir%\system32\trashD1CE92(file name may be random)

It hooks system startup by adding the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe: "%WinDir%\system32\drivers\lsass.exe"
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe %WINDIR%\system32\drivers\lsass.exe"

It also creates or modifies the following registry keys:

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan: 0x0000000
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT\DontReportInfectionInformation: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall: 0x00000000
• HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters\AutoShareWks: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters\AutoShareServer: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation\parameters\AutoShareWks: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation\parameters\AutoShareServer: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start: 0x00000004
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareWks: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareServer: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\AutoShareWks: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\AutoShareServer: 0x00000000
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0x00000004
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: 0x00000001
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools: 0x00000001
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable: 0xFFFFFF9D
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WaitToKillServiceTimeout: "7000"
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous: 0x00000001
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Messenger\Start: 0x00000004
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteRegistry\Start: 0x00000004
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr\Start: 0x00000004
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WaitToKillServiceTimeout: "7000"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous: 0x00000001
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Start: 0x00000004
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Start: 0x00000004
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start: 0x00000004

It attempts to connect with the following IRC server:

• www.worldcasino.to
• mail.fucuzzy
• mail.TIKTIKZ

-- Update November 1, 2006 --

Recent variants of this threat were found to be connecting to the following site(s):

• dl1.debe(hidden)zombi.com     canonical name = mildred.debe(hidden)zombi.com.
  Name:   mildred.debe(hidden)zombi.com
  Address: 69.60.xx.xx
  
• xv21.debe(hidden)zombi.com    canonical name = vps2.debe(hidden)zombi.com.
  Name:   vps2.debe(hidden)zombi.com
  Address: 69.60.xx.xx

These variants download a copy of Downloader-ATI, and could be actively scanning for hosts vulnerable to MS06-040 like the earlier variants.

-- Update September 1, 2006 --
There are several variants of this threat.  Certain details may vary per variant.  The 4843 DAT files identify sample with hash MD5:0xa602476c365e6e2ac37321503b7e66ee as W32/Spybot.worm.gen.o.  The previous DAT detected this variant as W32/Spybot.worm.gen.p.

It is imperative for systems to have the MS06-040 patch applied.

-- Update March 05, 2004 --
This family of worms has more then 1,000 variants now! Majority of variants are proactively detected. For maximum protection users are recommended to:

• use the latest engine/DAT combination
• ensure the scanning of compressed files is enabled

--

---- Update January 22, 2004 --
This family of worms has more then 800 variants now and is a record holder as a biggest ever family of worms. --

-- Update October 28, 2003 --
Number of variants reached about 500 variants. Nearly all new variants were proactively detected. 
--

-- Update May 16, 2003 --
This family of worms is expanding extremely rapidly (89 variants currently) and new variants are constantly being covered by our generic detection. For up-to-date protection from the latest variants you need to use the latest DATs.
--

This family is quite big and there are as many as 55 different variants belonging to it. Some are encoded using FSG packer for PE executables.

All members of this worm family have a capability to record keystrokes into a text file. This text file can be then transmitted via IRC protocol to the attacker. The information about pressed keystrokes is saved in the following form:

[F12][ESC][Insert][Down][Up][TAB]...

The worm can also accept remote commands and participate in, for example, a denial-of-service flood attack on a Web site.

Some variants include backdoor capabilities (remote cmd.exe, list files, retrieve files, keylog etc.), port redirection, the ablity to circumvent antivirus and firewalls and can spread using kazaa, kuang2 (port 17300) and sub7 (port 27347).

Symptoms

Symptoms -

--Update  November 17, 2009--

• Presence of above mentioned file and registry keys.
• It tries to connect remote sites through TCP port

----

Many identical files of the same size with funny names (like "xqmrgnf.exe" or "ounakfg.scr"). Frequently one of the copies is called "porn.exe". Some variants also drop files with sensible names like "AVP_Crack.exe" or "zonealarm_pro_crack.exe".

• Presence of a short text file in the Windows folder (frequently -"keylog.txt" but other names also observed) that holds records like:

      [23:Apr:2003, 20:11:34] Keylogger Started
      ...
      [24:Apr:2003, 09:48:22] Keylogger Started
      ...

A possible indication of infection is outbound traffic directed to port 17300 or 27374 tipically in the form of many probes sent to consecutive IPs like:

• FROM: local network host TO: 12.34.56.78:17300
• FROM: local network host TO: 12.34.56.79:17300
• FROM: local network host TO: 12.34.56.80:17300
• FROM: local network host TO: 12.34.56.81:17300
• FROM: local network host TO: 12.34.56.82:17300
• ....

 

Method of Infection

Method of Infection -

-Update  November 17, 2009--

The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

-----

The worm copies itself around and into the folder defined by "Kazaa\localcontent" registry key and into "kazaabackupfiles" subdirectory. Some copies may have enticing names (like "porn.exe", "Matrix Screensaver 1.5.scr", "Smart Ripper v2.7.exe", etc.) so other people may download the worm through P2P file sharing program. Once the downloaded copy of the worm is executed the cycle repeats itself.
Some variants can scan subnets for systems already infected by sub7 or kuang2 to spread furhter.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal.

If you are using P2P software (Kazaa, Gnotella, Bearshare, Morpheus, eDonkey, eMule, etc.) be very careful with downloaded executable files.

Please make sure that scanning of compressed files is enabled. Always scan downloaded files with the latest DATs in program heuristic mode.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A