# Spybot Worm Causing Network Problems



## SpySentinel (May 30, 2006)

Spybot Worm Causing Network Problems

The first signs of the W32.Spybot.ANDM network worm were seen in-the-wild on December 22, 2006. The worm modifies various registry keys to make itself execute upon system startup. It also opens a backdoor via an mIRC channel. The backdoor accepts various remote commands, including capturing keystrokes, downloading files and stopping various security services. The worm propagates via mIRC, network shares with weak passwords and the following known vulnerabilities:


SecurityFocus RealVNC Remote Authentication Bypass Vulnerability
http://www.securityfocus.com/bid/17978

 SecurityFocus Microsoft Windows LSASS Buffer Overrun Vulnerability
http://www.securityfocus.com/bid/10108

 SecurityFocus Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability
http://www.securityfocus.com/bid/8205

 SecurityFocus Microsoft SQL Server 2000 or MSDE 2000 Audit
http://www.securityfocus.com/bid/5980

 SecurityFocus Microsoft ASN.1 Library Multiple Stack-Based Buffer Overflow Vulnerabilities
http://www.securityfocus.com/bid/9743

 SecurityFocus Symantec Client Security and Symantec AntiVirus Elevation of privilege
http://www.securityfocus.com/bid/18107

Symantec Security Response strongly recommends reviewing the patch levels of the relevant software on all desktop and server systems to ensure the vulnerabilities listed above have been patched. Organizations are also encouraged to follow safe practices for password assignment and usage, using complex passwords whenever possible.

This particular worm generates large amounts of network traffic, which may result in network performance degradation. Another sign of possible system infection is the existence of a file named "a.bat" in the root directory of drive C: and "1.reg" in the temporary directory. These files are automatically created and deleted by the worm, but may exist on an infected system.

Likely sources of infections are uncontrolled systems physically entering a network, such as laptops, and direct infections of systems within networks not protected by perimeter firewalls. Most large organizations protect their internal networks with a strong perimeter firewall. Many smaller organizations, unfortunately, do not always use perimeter firewalls, thus leaving all systems on their networks open to possible attack. Industry-standard best practices for security encourage the use of perimeter firewalls for general network protection.

More detailed information on this threat can be found on the Symantec Security Response web site at

http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-010316-2308-99

At this point in time, Symantec Security Response rates this worm to be of low severity, carrying a current rating of CAT 2 (out of a possible 5).

Symantec Security Response has analyzed the threat and has provided protection for it via LiveUpdate and Intelligent Updater. The latest antivirus (AV) definitions will detect all known variants of the W32.Spybot.ANDM worm and repair related infections. IPS signatures are also available for Symantec Client Security and Symantec Network Security 7100 series and versions 4.0 and later.


----------

