|  | ||||||||||||||||||||||||||||||||
Name: W32/Spybot.worm.lz
Aliases: W32/RpcSpybot-A,WORM_RPCSDBOT.A,Sdbot.RPC.A, W32.Randex.E,Win32.RPCexploit,Backdoor.Sdbot.au, TrojanDropper.Win32.Small.bd,Exploit-DcomRPC,IRC-BBot Variants: Type: Internet Worm,Trojan Horse Platforms: Windows 32-bit Status: in the wild Threat: V-CON 2 (low) The following has been derived from information provided by Network Associates, Trend, Symantec, and F-Secure. Virus Characteristics This worm uses the same RPC vulnerability listed in MS03-026 as W32.Blaster.Worm. This exploit in the Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface allows an attacker to gain full access and execute any code on a target machine. The worm creates a remote shell on TCP Port 4444 to download the worm via TFTP from the infected system. Payload Upon execution, the worm creates the following files in the WINNT\SYSTEM32 folder: WINLOGIN.EXE (24,064 bytes), not the valid WINLOGON.EXE YUETYUTR.DLL (43,520 bytes) or (variant) NSTASK32.EXE (24,064 bytes) WINSOCK32DRV.DLL (43,520 bytes) The worm will attempt to delete the TFTP.EXE file from C:\WINNT\SYSTEM32. The following registry keys are created to launch the worm on Windows startup: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce "winlogon" = "winlogin.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "NDplDeamon" = "winlogin.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "winlogon" = "winlogin.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "explorer.exe winlogin.exe" It adds the following line to the SYSTEM.INI on Windows 9x systems: [boot] shell = explorer.exe winlogin.exe The worm contains code based on one of several IRC-SDBOT worm variants to attempt to connect to an IRC server named "le.x.lu.tc" and listen for commands from a remote attacker. The worm injects the dropped YUETYUTR.DLL file into the explorer.exe process. Preventative Measures Block traffic on TCP/UDP port 135 (and if possible 135-139, 445 and 593). Monitor TCP Port 4444 and UDP Port 69 (TFTP). Ensure that all systems have applied the Microsoft patch. This patch is available from the following website: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp Updated virus definitions will prevent the propagation of the virus, but will not prevent the MS03-026 vulnerability from being exploited. Updating virus definitions can be used as a temporary measure to mitigate the spread of the worm until the Microsoft patch can be applied. Fixes Available Network Associates: Minimum DAT: 4285, heuristically detected with 4283 DAT files as New Malware.b when scanning compressed files with the 4.2.40+ engine. Release Date: 08/13/2003 Minimum Engine: 4.2.40 Symantec: Virus Definitions (Intelligent Updater): August 13, 2003 Virus Definitions (LiveUpdate): August 13, 2003 Trend: Pattern File: 605 Minimum Scan Engine: 5.400 < - Virus Information Index - >
| | |||||||||||||||||||||||||
