|
Tuesday, 07 June 2005 |
W32.Spybot.PKC is a network-aware worm that has distributed denial of service and back door capabilities. The worm spreads through network shares protected by weak passwords and by exploiting vulnerabilities.
Type: Worm
Infection Length: 121,504 bytes.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Once W32.Spybot.PKC is executed, it performs the following actions:
Creates the following copy of itself:
%System%msupdtm.exe
Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).
Adds the value:
"Microsoft System" = "msupdtm.exe"
to the registry subkeys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftOLE
so that it is executed every time Windows starts.
Opens a back door by connecting to an IRC channel on 212.3.3.153 on TCP port 6394.
Listens for commands that allow a remote attacker to perform the following actions:
Download and execute files
List, stop, and start processes and threads
Launch ACK, SYN, UDP, and ICMP denial of service attacks
Perform port redirection
Send files over IRC
Send email using its own SMTP engine
Start a local HTTP, FTP, or TFTP server
Search for files on the compromised computer
Log keystrokes
Access network shares and copy itself to those network shares
Scan the network for vulnerable computers by means of port scanning
Capture screenshots, data from the clipboard, and footage from webcams
Visit URLs
Flush the DNS and ARP caches
Open a command shell on the compromised computer
Start a SOCKS4 proxy server
Add and delete network shares
Disable DCOM
Reboot the compromised computer
Intercept packets on the local area network
Retrieve the currently logged on users Windows password from memory
Send net send messages
Delete registry loading points from other programs and malware
Scans for computers vulnerable to one or more of the following exploits:
The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011), using TCP port 445.
The Microsoft SQL Server Web Task Stored Procedure Privilege Escalation Vulnerability (as described in Microsoft Security Bulletin MS02-061), using UDP port 1433.
The Microsoft ASN.1 Library Multiple Stack-Based Buffer Overflow Vulnerabilities (as described in Microsoft Security Bulletin MS04-007).
Spreads to randomly generated IP addresses by copying itself to network shares that are protected with weak passwords.
To delete the value from the registry:Click Start > Run.
Type regedit
Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
Navigate to the subkeys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
HKEY_CURRENT_USERSoftwareMicrosoftOLE
In the right pane, delete the value:
"Microsoft System" = "msupdtm.exe"
Exit the Registry Editor.
================================== |
