|
Sunday, 24 April 2005 |
W32.Spybot.OBZ is a worm that has distributed denial of service and back door capabilities. The worm spreads through network shares protected by weak passwords and by exploiting vulnerabilities. The worm may be dropped by W32.Kelvir.AN.
Type: Worm
Infection Length: 68, 423 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Spybot.OBZ is executed, it performs the following actions:
Arrives as the file C:Service.exe.
Copies itself as %System%scvhosts.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Adds the value:
"Windows Services" = "scvhoste.exe"
to the registry subkeys:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESoftwareMicrosoftOLE
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftOLE
HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftOLE
so that the worm is executed every time Windows starts.
Sets the value
"EnableDCOM" = "N"
in the registry subkey:
HKEY_LOCAL_MACHINESoftwareMicrosoftOLE
to modify the DCOM setting.
Sets the value
"restrictanonymous" = "1"
in the registry subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
to modify access to network shares.
Attempts to open a back door by connecting to an IRC channel on the white.0wnsj00.net domain on TCP port 6660.
Listens for commands from a remote attacker. The remote attacker may be able to perform any of the following actions:
Download and execute files
List, stop, and start processes and threads
Launch ACK, SYN, UDP, and ICMP denial of service attacks
Perform port redirection
Send files over IRC
Send email using its own SMTP engine
Start a local HTTP, FTP, or TFTP server
Search for files on the compromised computer
Log keystrokes
Access network shares and copy itself to those network shares
Scan the network for vulnerable computers by means of port scanning
Capture screenshots, data from the clipboard, and footage from webcams
Visit URLs
Flush the DNS and ARP caches
Open a command shell on the compromised computer
Start a SOCKS4 proxy server
Add and delete network shares and disable DCOM
Reboot the compromised computer
Intercept packets on the local area network
Retrieve the currently logged on users Windows password from memory
Send net send messages
Delete registry loading points from other programs and malware
Spreads by exploiting the following vulnerabilities::
The Microsoft Windows DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).
The Microsoft SQL Server User Authentication Remote Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS02-056).
Attempts to propagate through back doors opened by variants of the W32.Beagle, W32.Sasser and W32.Mydoom worms, and by variants of Backdoor.NetDevil, Backdoor.Subseven, Backdoor.Kuang, and Backdoor.Optix.
Attempts to spread to randomly generated IP addresses by copying itself to network shares that are protected with weak passwords.
To delete the value from the registry
Click Start > Run.
Type regedit
Click OK.
Navigate to the subkeys:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESoftwareMicrosoftOLE
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftOLE
HKEY_CURRENT_USERSYSTEMCurrentControlSetControlLsa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftOLE
In the right pane, delete the value:
"Windows Services" = "scvhoste.exe"
Navigate to the subkey:
HKEY_LOCAL_MACHINESoftwareMicrosoftOLE
In the right-hand pane, reset the value:
"EnableDCOM"="N"
Navigate to the subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
In the right-hand pane, reset the value:
"restrictanonymous" = "1"
Exit the Registry Editor.
|
