Content

W32/Spybot.worm.gen

Type
Virus
SubType
Internet Worm
Discovery Date
04/23/2003
Length
16k-146k
Minimum DAT
4260 (04/30/2003)
Updated DAT
5666 (07/04/2009)
Minimum Engine
5.1.00
Description Added
05/02/2003
Description Modified
09/25/2008 1:53 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update September 25, 2008 --

Upon execution, the new variant copies itself to the following folder:

  • %WinDir%\system32\drivers\lsass.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It modifies the following files:

  • %WinDir%\system32\ftp.exe
  • %WinDir%\system32\sfc_os.dll(identified as PatchedSFC trojan)

to disable ftp functionality.

It stores the orignal sfc_os.dll to the following folder:

  • %WinDir%\system32\trashD1CE92(file name may be random)

It hooks system startup by adding the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe: "%WinDir%\system32\drivers\lsass.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe %WINDIR%\system32\drivers\lsass.exe"

It also creates or modifies the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan: 0x0000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT\DontReportInfectionInformation: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall: 0x00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters\AutoShareWks: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters\AutoShareServer: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation\parameters\AutoShareWks: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation\parameters\AutoShareServer: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareWks: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareServer: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\AutoShareWks: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\AutoShareServer: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0x00000004
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: 0x00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable: 0xFFFFFF9D
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WaitToKillServiceTimeout: "7000"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Messenger\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteRegistry\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WaitToKillServiceTimeout: "7000"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start: 0x00000004

It attempts to connect with the following IRC server:

  • www.worldcasino.to
  • mail.fucuzzy
  • mail.TIKTIKZ

-- Update November 1, 2006 --

Recent variants of this threat were found to be connecting to the following site(s):

  • dl1.debe(hidden)zombi.com     canonical name = mildred.debe(hidden)zombi.com.
    Name:   mildred.debe(hidden)zombi.com
    Address: 69.60.xx.xx
  • xv21.debe(hidden)zombi.com    canonical name = vps2.debe(hidden)zombi.com.
    Name:   vps2.debe(hidden)zombi.com
    Address: 69.60.xx.xx

These variants download a copy of Downloader-ATI, and could be actively scanning for hosts vulnerable to MS06-040 like the earlier variants.

-- Update September 1, 2006 --
There are several variants of this threat.  Certain details may vary per variant.  The 4843 DAT files identify sample with hash MD5:0xa602476c365e6e2ac37321503b7e66ee as W32/Spybot.worm.gen.o.  The previous DAT detected this variant as W32/Spybot.worm.gen.p.

It is imperative for systems to have the MS06-040 patch applied.

-- Update March 05, 2004 --
This family of worms has more then 1,000 variants now! Majority of variants are proactively detected. For maximum protection users are recommended to:

  • use the latest engine/DAT combination
  • ensure the scanning of compressed files is enabled

--

---- Update January 22, 2004 --
This family of worms has more then 800 variants now and is a record holder as a biggest ever family of worms. --

-- Update October 28, 2003 --
Number of variants reached about 500 variants. Nearly all new variants were proactively detected. 
--

-- Update May 16, 2003 --
This family of worms is expanding extremely rapidly (89 variants currently) and new variants are constantly being covered by our generic detection. For up-to-date protection from the latest variants you need to use the latest DATs.
--

This family is quite big and there are as many as 55 different variants belonging to it. Some are encoded using FSG packer for PE executables.

All members of this worm family have a capability to record keystrokes into a text file. This text file can be then transmitted via IRC protocol to the attacker. The information about pressed keystrokes is saved in the following form:

[F12][ESC][Insert][Down][Up][TAB]...

The worm can also accept remote commands and participate in, for example, a denial-of-service flood attack on a Web site.

Some variants include backdoor capabilities (remote cmd.exe, list files, retrieve files, keylog etc.), port redirection, the ablity to circumvent antivirus and firewalls and can spread using kazaa, kuang2 (port 17300) and sub7 (port 27347).

Symptoms

  • Many identical files of the same size with funny names (like "xqmrgnf.exe" or "ounakfg.scr"). Frequently one of the copies is called "porn.exe". Some variants also drop files with sensible names like "AVP_Crack.exe" or "zonealarm_pro_crack.exe".
  • Presence of a short text file in the Windows folder (frequently -"keylog.txt" but other names also observed) that holds records like:

      [23:Apr:2003, 20:11:34] Keylogger Started
      ...
      [24:Apr:2003, 09:48:22] Keylogger Started
      ...


A possible indication of infection is outbound traffic directed to port 17300 or 27374 tipically in the form of many probes sent to consecutive IPs like:

  • FROM: local network host TO: 12.34.56.78:17300
  • FROM: local network host TO: 12.34.56.79:17300
  • FROM: local network host TO: 12.34.56.80:17300
  • FROM: local network host TO: 12.34.56.81:17300
  • FROM: local network host TO: 12.34.56.82:17300
  • ....

 

Method of Infection

The worm copies itself around and into the folder defined by "Kazaa\localcontent" registry key and into "kazaabackupfiles" subdirectory. Some copies may have enticing names (like "porn.exe", "Matrix Screensaver 1.5.scr", "Smart Ripper v2.7.exe", etc.) so other people may download the worm through P2P file sharing program. Once the downloaded copy of the worm is executed the cycle repeats itself.
Some variants can scan subnets for systems already infected by sub7 or kuang2 to spread furhter.

Removal

All Users :
Use specified engine and DAT files for detection and removal.

If you are using P2P software (Kazaa, Gnotella, Bearshare, Morpheus, eDonkey, eMule, etc.) be very careful with downloaded executable files.

Please make sure that scanning of compressed files is enabled. Always scan downloaded files with the latest DATs in program heuristic mode.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • BKDR_SPYBOT (Trend)
  • TROJ_SPYBOT (Trend)
  • W32.Spybot.worm (NAV)
  • WORM_RPCSDBOT (Trend)
  • WORM_SPYBOT (Trend)

Characteristics

Characteristics -

-- Update September 25, 2008 --

Upon execution, the new variant copies itself to the following folder:

  • %WinDir%\system32\drivers\lsass.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It modifies the following files:

  • %WinDir%\system32\ftp.exe
  • %WinDir%\system32\sfc_os.dll(identified as PatchedSFC trojan)

to disable ftp functionality.

It stores the orignal sfc_os.dll to the following folder:

  • %WinDir%\system32\trashD1CE92(file name may be random)

It hooks system startup by adding the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe: "%WinDir%\system32\drivers\lsass.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "Explorer.exe %WINDIR%\system32\drivers\lsass.exe"

It also creates or modifies the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan: 0x0000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotAllowXPSP2: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT\DontReportInfectionInformation: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\EnableFirewall: 0x00000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters\AutoShareWks: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\parameters\AutoShareServer: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation\parameters\AutoShareWks: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation\parameters\AutoShareServer: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareWks: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters\AutoShareServer: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\AutoShareWks: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters\AutoShareServer: 0x00000000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start: 0x00000004
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: 0x00000001
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools: 0x00000001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable: 0xFFFFFF9D
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WaitToKillServiceTimeout: "7000"
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\restrictanonymous: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Messenger\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RemoteRegistry\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WaitToKillServiceTimeout: "7000"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous: 0x00000001
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Start: 0x00000004
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start: 0x00000004

It attempts to connect with the following IRC server:

  • www.worldcasino.to
  • mail.fucuzzy
  • mail.TIKTIKZ

-- Update November 1, 2006 --

Recent variants of this threat were found to be connecting to the following site(s):

  • dl1.debe(hidden)zombi.com     canonical name = mildred.debe(hidden)zombi.com.
    Name:   mildred.debe(hidden)zombi.com
    Address: 69.60.xx.xx
  • xv21.debe(hidden)zombi.com    canonical name = vps2.debe(hidden)zombi.com.
    Name:   vps2.debe(hidden)zombi.com
    Address: 69.60.xx.xx

These variants download a copy of Downloader-ATI, and could be actively scanning for hosts vulnerable to MS06-040 like the earlier variants.

-- Update September 1, 2006 --
There are several variants of this threat.  Certain details may vary per variant.  The 4843 DAT files identify sample with hash MD5:0xa602476c365e6e2ac37321503b7e66ee as W32/Spybot.worm.gen.o.  The previous DAT detected this variant as W32/Spybot.worm.gen.p.

It is imperative for systems to have the MS06-040 patch applied.

-- Update March 05, 2004 --
This family of worms has more then 1,000 variants now! Majority of variants are proactively detected. For maximum protection users are recommended to:

  • use the latest engine/DAT combination
  • ensure the scanning of compressed files is enabled

--

---- Update January 22, 2004 --
This family of worms has more then 800 variants now and is a record holder as a biggest ever family of worms. --

-- Update October 28, 2003 --
Number of variants reached about 500 variants. Nearly all new variants were proactively detected. 
--

-- Update May 16, 2003 --
This family of worms is expanding extremely rapidly (89 variants currently) and new variants are constantly being covered by our generic detection. For up-to-date protection from the latest variants you need to use the latest DATs.
--

This family is quite big and there are as many as 55 different variants belonging to it. Some are encoded using FSG packer for PE executables.

All members of this worm family have a capability to record keystrokes into a text file. This text file can be then transmitted via IRC protocol to the attacker. The information about pressed keystrokes is saved in the following form:

[F12][ESC][Insert][Down][Up][TAB]...

The worm can also accept remote commands and participate in, for example, a denial-of-service flood attack on a Web site.

Some variants include backdoor capabilities (remote cmd.exe, list files, retrieve files, keylog etc.), port redirection, the ablity to circumvent antivirus and firewalls and can spread using kazaa, kuang2 (port 17300) and sub7 (port 27347).

Symptoms

Symptoms -

  • Many identical files of the same size with funny names (like "xqmrgnf.exe" or "ounakfg.scr"). Frequently one of the copies is called "porn.exe". Some variants also drop files with sensible names like "AVP_Crack.exe" or "zonealarm_pro_crack.exe".
  • Presence of a short text file in the Windows folder (frequently -"keylog.txt" but other names also observed) that holds records like:

      [23:Apr:2003, 20:11:34] Keylogger Started
      ...
      [24:Apr:2003, 09:48:22] Keylogger Started
      ...


A possible indication of infection is outbound traffic directed to port 17300 or 27374 tipically in the form of many probes sent to consecutive IPs like:

  • FROM: local network host TO: 12.34.56.78:17300
  • FROM: local network host TO: 12.34.56.79:17300
  • FROM: local network host TO: 12.34.56.80:17300
  • FROM: local network host TO: 12.34.56.81:17300
  • FROM: local network host TO: 12.34.56.82:17300
  • ....

 

Method of Infection

Method of Infection -

The worm copies itself around and into the folder defined by "Kazaa\localcontent" registry key and into "kazaabackupfiles" subdirectory. Some copies may have enticing names (like "porn.exe", "Matrix Screensaver 1.5.scr", "Smart Ripper v2.7.exe", etc.) so other people may download the worm through P2P file sharing program. Once the downloaded copy of the worm is executed the cycle repeats itself.
Some variants can scan subnets for systems already infected by sub7 or kuang2 to spread furhter.

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal.

If you are using P2P software (Kazaa, Gnotella, Bearshare, Morpheus, eDonkey, eMule, etc.) be very careful with downloaded executable files.

Please make sure that scanning of compressed files is enabled. Always scan downloaded files with the latest DATs in program heuristic mode.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A