McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Business Home McAfee Labs Threat Intelligence

W32/Spybot.worm.gen.p

This page shows details and results of our analysis on the malware W32/Spybot.worm.gen.p

Threat Detail

Malware Type: Virus

Malware Sub-type: Generic Worm

Discovery Date: 2005-08-08

Next Steps:

Overview

W32/Spybot.worm.gen.p is a worm that also drops a rootkit component to hide its files and processes. This rootkit component is detected as NTRootKit-J.

The worm opens a backdoor at TCP port 443 and tries to connect to IRC server and waits for commands. One of the ways this worm can spread is by exploiting MS06-040 vulnerability.


Minimum DAT

4552 (2005-08-08)

Updated DAT

5919 (2010-03-13)

 Minimum Engine

5.1.00

File Length

Varies

 Description Added

2005-08-08

Description Modified

2006-09-01

Malware Proliferation

Characteristics

-- Update September 1, 2006 --
There are several variants of this threat.  Certain details may vary per variant.  The 4843 DAT files identify sample with hash MD5:0xa602476c365e6e2ac37321503b7e66ee as W32/Spybot.worm.gen.o.  The previous DAT detected this variant as W32/Spybot.worm.gen.p.

It is imperative for systems to have the MS06-040 patch applied.
----

W32/Spybot.worm.gen.p connects to a IRC server and accepts commands as described below. The bot obeys commands only after it has verified the login/password of the user who is issuing the commands.

On execution the worm deletes itself from its current location and copies itself in %Windir% as lsass.exe. It then registers itself as a service by creating hkey_local_machine\system\currentcontrolset\services\lsass registry entry with:

    • display name: "Local Security Authority Subsystem Service"
    • description:"Microsoft Path Finder Service Displays Internet Routing Paths."
    • objectname="LocalSystem"
    • imagepath="%WINDIR%\lsass.exe"

It also drops a file "rdriv.sys" in %SYSTEMDIR% which is detected as NTRootKit-J. "rdriv.sys" is also registered as a service by creating hkey_local_machine\system\currentcontrolset\services\rdriv registry entry.

Disables the following services:

    • Telnet
    • Security Center
    • Remote Registry
    • Messenger

This worm also lowers windows security settings by performing the following registry modifications:

  • hkey_local_machine\software\microsoft\security center
    • firewalldisablenotify="1"
    • antivirusoverride="1"
    • updatesdisablenotify="1"
    • firewalloverride="1"
    • antivirusdisablenotify="1"
  • hkey_local_machine\software\policies\microsoft\windowsfirewall\standardprofile\enablefirewall="0"

Prevents updates from installing Windows XP Service Pack 2 by using:
hkey_local_machine\software\policies\microsoft\windows\windowsupdate\donotallowxpsp2="1"

Disables automatic creation of hidden shares on reboot using the following registry entry:
hkey_local_machine\system\currentcontrolset\services\lanmanworkstation\parameters\autosharewks="0"

Disables automatic updates using the follownig registry entry:
hkey_local_machine\software\microsoft\windows\currentversion\windowsupdate\autoupdate\auoptions="1"

The worm opens a backdoor at TCP port 443 and tries to connect to IRC server at

    • bla.girlsontheblock.com

TCP port 443 is normally used for https protocol but this worm uses it for IRC.

Actions that the worm may perform on receiving appropriate commands include:

    • Enumerate active process and threads on infected computer
    • Start, stop and hide processes and threads
    • Modify Microsoft Internet Explorer's start page
    • Open a local web server
    • Port scan IP addresses in a specified subnet to identify possible targets for infection
    • Open backdoor at a specified port
    • Transfer files
    • Spread via MIRC
    • Update itself
    • Restart infected machine
    • Flush ARP and DNS caches
    • Sniff network traffic
    • Create, delete and try to spread via network shares
    • Spread via AOL Instant Messenger
    • Download files from a specified URL

 

The worm may also spread by exploiting the MS06-040 vulnerability.

 

The commands that the worm can receive include

    • login
    • threads
    • logout
    • testdlls
    • version
    • secure
    • unsecure
    • unsec
    • process
    • create
    • nickupdate
    • randnick
    • exploitftpd
    • eftpd
    • sniffer
    • sniff
    • iestart
    • encrypt
    • prefix
    • resolve
    • aimspread
    • currentip
    • stats
    • banner
    • advscan
    • scanall
    • lsascan
    • ntscan
    • wksescan
    • wksoscan
    • flusharp
    • flushdns
    • system
    • r.down
    • r.wget
    • uptime
    • private
    • status

 

Symptoms

  • Existence of registry keys as described.
  • Existence of "%WINDIR%\lsass.exe and %SYSTEMDIR%\rdriv.sys
  • Security Center and Messenger automatically getting disabled.
  • TCP connection at port 443 to bla.girlsontheblock.com. IRC related data on this connection.

 

Method of Infection

This worm can spread via AOL Inastant Messenger, MIRC chat client, improperly configured/protected network shares and by exploiting MS06-040 vulnerability.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

This threat modifies a number of system files and configurations that can include disabling the default Windows Firewall on the infected machine. These changes should be manually configured to your preferred settings.

 

Variants

United States - English