WORM_SPYBOT.BSA

This worm may arrive via network shares. It uses brute force attack to gain access to password-protected shares.

It has backdoor routines that allows this worm to compromise the system's security. It opens a certain port where it listens for remote commands from a malicious user. A remote malicious user can connect through the opened port and execute arbitrary commands on the affected system.

It connects to certain URLs to get the affected system's IP address.

This worm may be downloaded by other malware/grayware/spyware from remote sites. It may be unknowingly downloaded by a user while visiting malicious websites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This worm may arrive via network shares.

It may be downloaded by other malware/grayware/spyware from remote sites.

It may be unknowingly downloaded by a user while visiting malicious websites.

Installation

This worm drops the following copies of itself into the affected system:

• %System%\ipz2.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Propagation

This worm uses the following user name and password to gain access to password-protected shares:

• 00000
• 12321
• 12345
• 54321
• 111111
• 121212
• 123123
• 123321
• 123456
• 123456
• 654321
• 1234321
• 1234567
• 11111111
• 12341234
• 12344321
• 12345678
• 12345678
• 87654321
• 123123123
• 123454321
• 123456789
• 123456789
• 987654321
• 987654321
• 1234554321
• 1234567890
• 1q2w3e
• 1q2w3e4r
• 1q2w3e4r5t
• 1qa2ws3ed
• 1qaz2wsx
• aaaaaa
• aaaaaaaa
• abcdef
• abcdefg
• abcdefgh
• abcdefghi
• abcdefghij
• Admin
• admin
• Administrator
• administrator
• africa
• anime
• april
• attack
• azerty
• battle
• battleship
• bender
• bicycle
• billgates
• blood
• boobs
• bottle
• brent
• brentcorrigan
• bucks
• caddy
• calculator
• cannon
• canon
• captain
• cavern
• chopper
• cinema
• coffee
• computer
• copypaste
• copyright
• creative
• cyber
• defence
• dream
• earth
• elevate
• embrace
• facebook
• fighter
• flight
• flower
• freedom
• general
• gentoo
• google
• grant
• grinder
• guitar
• handy
• harry
• harrypotter
• health
• helicopter
• hiroshima
• horror
• human
• inferno
• internet
• israel
• kamikaze
• leela
• leeps
• light
• linux
• login
• lover
• lucifer
• major
• master
• memory
• metall
• microsoft
• minigun
• mondo
• motor
• mouse
• mozilla
• necromancer
• nekomimi
• neuron
• nigger
• norad
• nothing
• obvious
• october
• offence
• passwd
• password
• paswd
• pasword
• people
• pilot
• pirate
• police
• potter
• press
• qazwsx
• qazwsxedc
• qqqqqq
• qqqqqqqq
• qweasd
• qwerasdf
• qwert
• qwerty
• qwertyu
• qwertyui
• qwertyuio
• qwertyuiop
• radmin
• rastaman
• right
• robot
• rocket
• rotor
• samael
• satan
• scada
• share
• shark
• sharp
• shinny
• skate
• skynet
• skyscraper
• solder
• soldier
• south
• southpark
• space
• stack
• starcraft
• starwars
• stereo
• stick
• summer
• tolerance
• ubuntu
• universe
• username
• vader
• venus
• video
• warcraft
• warhammer
• welcome
• winter
• witch
• xerox
• ytrewq
• zeitgeist
• zzzzzzzz

Backdoor Routine

This worm opens the following port(s) where it listens for remote commands:

• 689

It executes the following commands from a remote malicious user:

• Add/remove programs from firewall trust list
• Upload/download files
• Use Telnet and Radmin
• Install/delete service
• Modify DNS settings
• Connect to peer-to-peer network

Other Details

This worm connects to the following URL(s) to get the affected system's IP address:

• http://www.myipnumber.com/
• http://showip.net/
• http://whois.domaintools.com/
• http://ip-address.domaintools.com/
• http://www.moanmyip.com/
• http://www.123myip.co.uk/
• http://www.dnsstuff.com/
• http://www.ip-adress.com/
• http://www.hostip.info/