Content

W32/Spybot.worm.gen.p

Type
Virus
SubType
Generic Worm
Discovery Date
08/08/2005
Length
Varies
Minimum DAT
4552 (08/08/2005)
Updated DAT
5115 (09/07/2007)
Minimum Engine
5.1.00
Description Added
08/08/2005
Description Modified
09/01/2006 10:06 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update September 1, 2006 --
There are several variants of this threat.  Certain details may vary per variant.  The 4843 DAT files identify sample with hash MD5:0xa602476c365e6e2ac37321503b7e66ee as W32/Spybot.worm.gen.o.  The previous DAT detected this variant as W32/Spybot.worm.gen.p.

It is imperative for systems to have the MS06-040 patch applied.
----

W32/Spybot.worm.gen.p connects to a IRC server and accepts commands as described below. The bot obeys commands only after it has verified the login/password of the user who is issuing the commands.

On execution the worm deletes itself from its current location and copies itself in %Windir% as lsass.exe. It then registers itself as a service by creating hkey_local_machine\system\currentcontrolset\services\lsass registry entry with:

    • display name: "Local Security Authority Subsystem Service"
    • description:"Microsoft Path Finder Service Displays Internet Routing Paths."
    • objectname="LocalSystem"
    • imagepath="%WINDIR%\lsass.exe"

It also drops a file "rdriv.sys" in %SYSTEMDIR% which is detected as NTRootKit-J. "rdriv.sys" is also registered as a service by creating hkey_local_machine\system\currentcontrolset\services\rdriv registry entry.

Disables the following services:

    • Telnet
    • Security Center
    • Remote Registry
    • Messenger

This worm also lowers windows security settings by performing the following registry modifications:

  • hkey_local_machine\software\microsoft\security center
    • firewalldisablenotify="1"
    • antivirusoverride="1"
    • updatesdisablenotify="1"
    • firewalloverride="1"
    • antivirusdisablenotify="1"
  • hkey_local_machine\software\policies\microsoft\windowsfirewall\standardprofile\enablefirewall="0"

Prevents updates from installing Windows XP Service Pack 2 by using:
hkey_local_machine\software\policies\microsoft\windows\windowsupdate\donotallowxpsp2="1"

Disables automatic creation of hidden shares on reboot using the following registry entry:
hkey_local_machine\system\currentcontrolset\services\lanmanworkstation\parameters\autosharewks="0"

Disables automatic updates using the follownig registry entry:
hkey_local_machine\software\microsoft\windows\currentversion\windowsupdate\autoupdate\auoptions="1"

The worm opens a backdoor at TCP port 443 and tries to connect to IRC server at

    • bla.girlsontheblock.com

TCP port 443 is normally used for https protocol but this worm uses it for IRC.

Actions that the worm may perform on receiving appropriate commands include:

    • Enumerate active process and threads on infected computer
    • Start, stop and hide processes and threads
    • Modify Microsoft Internet Explorer's start page
    • Open a local web server
    • Port scan IP addresses in a specified subnet to identify possible targets for infection
    • Open backdoor at a specified port
    • Transfer files
    • Spread via MIRC
    • Update itself
    • Restart infected machine
    • Flush ARP and DNS caches
    • Sniff network traffic
    • Create, delete and try to spread via network shares
    • Spread via AOL Instant Messenger
    • Download files from a specified URL

 

The worm may also spread by exploiting the MS06-040 vulnerability.

 

The commands that the worm can receive include

    • login
    • threads
    • logout
    • testdlls
    • version
    • secure
    • unsecure
    • unsec
    • process
    • create
    • nickupdate
    • randnick
    • exploitftpd
    • eftpd
    • sniffer
    • sniff
    • iestart
    • encrypt
    • prefix
    • resolve
    • aimspread
    • currentip
    • stats
    • banner
    • advscan
    • scanall
    • lsascan
    • ntscan
    • wksescan
    • wksoscan
    • flusharp
    • flushdns
    • system
    • r.down
    • r.wget
    • uptime
    • private
    • status

 

Symptoms

  • Existence of registry keys as described.
  • Existence of "%WINDIR%\lsass.exe and %SYSTEMDIR%\rdriv.sys
  • Security Center and Messenger automatically getting disabled.
  • TCP connection at port 443 to bla.girlsontheblock.com. IRC related data on this connection.

 

Method of Infection

This worm can spread via AOL Inastant Messenger, MIRC chat client, improperly configured/protected network shares and by exploiting MS06-040 vulnerability.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

This threat modifies a number of system files and configurations that can include disabling the default Windows Firewall on the infected machine. These changes should be manually configured to your preferred settings.

 

Variants

Variants

    N/A

All Information

Overview -

W32/Spybot.worm.gen.p is a worm that also drops a rootkit component to hide its files and processes. This rootkit component is detected as NTRootKit-J.

The worm opens a backdoor at TCP port 443 and tries to connect to IRC server and waits for commands. One of the ways this worm can spread is by exploiting MS06-040 vulnerability.

Aliases

  • Backdoor.Win32.SdBot.aqj (Kaspersky)
  • W32.Spybot.Worm (Symantec)
  • W32/Sdbot.IAZ.worm (Panda Antivirus)
  • WORM_RBOT.ASL (Trend Micro)

Characteristics

Characteristics -

-- Update September 1, 2006 --
There are several variants of this threat.  Certain details may vary per variant.  The 4843 DAT files identify sample with hash MD5:0xa602476c365e6e2ac37321503b7e66ee as W32/Spybot.worm.gen.o.  The previous DAT detected this variant as W32/Spybot.worm.gen.p.

It is imperative for systems to have the MS06-040 patch applied.
----

W32/Spybot.worm.gen.p connects to a IRC server and accepts commands as described below. The bot obeys commands only after it has verified the login/password of the user who is issuing the commands.

On execution the worm deletes itself from its current location and copies itself in %Windir% as lsass.exe. It then registers itself as a service by creating hkey_local_machine\system\currentcontrolset\services\lsass registry entry with:

    • display name: "Local Security Authority Subsystem Service"
    • description:"Microsoft Path Finder Service Displays Internet Routing Paths."
    • objectname="LocalSystem"
    • imagepath="%WINDIR%\lsass.exe"

It also drops a file "rdriv.sys" in %SYSTEMDIR% which is detected as NTRootKit-J. "rdriv.sys" is also registered as a service by creating hkey_local_machine\system\currentcontrolset\services\rdriv registry entry.

Disables the following services:

    • Telnet
    • Security Center
    • Remote Registry
    • Messenger

This worm also lowers windows security settings by performing the following registry modifications:

  • hkey_local_machine\software\microsoft\security center
    • firewalldisablenotify="1"
    • antivirusoverride="1"
    • updatesdisablenotify="1"
    • firewalloverride="1"
    • antivirusdisablenotify="1"
  • hkey_local_machine\software\policies\microsoft\windowsfirewall\standardprofile\enablefirewall="0"

Prevents updates from installing Windows XP Service Pack 2 by using:
hkey_local_machine\software\policies\microsoft\windows\windowsupdate\donotallowxpsp2="1"

Disables automatic creation of hidden shares on reboot using the following registry entry:
hkey_local_machine\system\currentcontrolset\services\lanmanworkstation\parameters\autosharewks="0"

Disables automatic updates using the follownig registry entry:
hkey_local_machine\software\microsoft\windows\currentversion\windowsupdate\autoupdate\auoptions="1"

The worm opens a backdoor at TCP port 443 and tries to connect to IRC server at

    • bla.girlsontheblock.com

TCP port 443 is normally used for https protocol but this worm uses it for IRC.

Actions that the worm may perform on receiving appropriate commands include:

    • Enumerate active process and threads on infected computer
    • Start, stop and hide processes and threads
    • Modify Microsoft Internet Explorer's start page
    • Open a local web server
    • Port scan IP addresses in a specified subnet to identify possible targets for infection
    • Open backdoor at a specified port
    • Transfer files
    • Spread via MIRC
    • Update itself
    • Restart infected machine
    • Flush ARP and DNS caches
    • Sniff network traffic
    • Create, delete and try to spread via network shares
    • Spread via AOL Instant Messenger
    • Download files from a specified URL

 

The worm may also spread by exploiting the MS06-040 vulnerability.

 

The commands that the worm can receive include

    • login
    • threads
    • logout
    • testdlls
    • version
    • secure
    • unsecure
    • unsec
    • process
    • create
    • nickupdate
    • randnick
    • exploitftpd
    • eftpd
    • sniffer
    • sniff
    • iestart
    • encrypt
    • prefix
    • resolve
    • aimspread
    • currentip
    • stats
    • banner
    • advscan
    • scanall
    • lsascan
    • ntscan
    • wksescan
    • wksoscan
    • flusharp
    • flushdns
    • system
    • r.down
    • r.wget
    • uptime
    • private
    • status

 

Symptoms

Symptoms -

  • Existence of registry keys as described.
  • Existence of "%WINDIR%\lsass.exe and %SYSTEMDIR%\rdriv.sys
  • Security Center and Messenger automatically getting disabled.
  • TCP connection at port 443 to bla.girlsontheblock.com. IRC related data on this connection.

 

Method of Infection

Method of Infection -

This worm can spread via AOL Inastant Messenger, MIRC chat client, improperly configured/protected network shares and by exploiting MS06-040 vulnerability.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

This threat modifies a number of system files and configurations that can include disabling the default Windows Firewall on the infected machine. These changes should be manually configured to your preferred settings.

 

Variants

Variants -

    N/A