WORM_SPYBOT.B

Malware type: Worm

Aliases: W32/Sdbot.worm.gen.k (McAfee), Backdoor.IRC.Bot (Symantec), Worm/SdBot.84978 (Avira), Troj/Sdbot-BI (Sophos),

In the wild: No

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

Medium

Description: 

This memory-resident malware is both a worm and a backdoor.

It propagates via the popular peer-to-peer file-sharing network, Kazaa. It also acts as a backdoor and connects to a certain Internet Relay Chat (IRC) server. Via IRC, it is able to receive commands from remote users to process on compromised machines.

This worm runs on Windows 95, 98, ME, NT, 2000, and XP systems.

For additional information about this threat, see:

Description created: Sep. 3, 2003 2:15:07 AM GMT -0800
Description updated: Sep. 4, 2003 8:03:27 PM GMT -0800


TECHNICAL DETAILS


Size of malware: Varies

Initial samples received on: Sep 3, 2003

Details:

Installation and Autostart

When initially executed, this worm drops a copy of itself in the Windows system folder using the any of the following file names:

  • 5PY.EXE
  • BUSTY_STRIPPER.SCR
  • CHANGE.EXE
  • DEVLDR32.EXE
  • EXPLORER2.EXE
  • EXPLORER64.EXE
  • KERNEIL32.EXE
  • KERNEL32.EXE
  • LSASSS.EXE
  • MSCONFIG32.EXE
  • MSUPDATE32.EXE
  • MSWIN32.EXE
  • PERFHMON.EXE
  • RUNDLL32.EXE
  • RUNXDLL.EXE
  • SCLHOST.EXE
  • SYSCFG32.EXE
  • TASKMGER.EXE
  • TEMPTR.EXE
  • WIN32.EXE
  • WINCFG.SCR
  • WINCMD.EXE
  • WUAUMQR.EXE
  • WUPDADTE.EXE
  • WUPDMGR.EXE

(Note: The Windows system folder is usually C:\Windows\System, C:\Winnt\System32, or C:\Windows\System32.)

However, if it is already running, it uses a different file name composed of 10 random characters.

This worm creates the following registry entries so that its dropped copy executes at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows
CurrentVersion\Runonce
%Value%

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
CurrentVersion\Run
%Value%

%Value% can be any of the following registry values and value data combinations, depending on the name of the dropped file:

  • dll driver = devldr32.exe
  • Ethernet100 = WinCMD.exe
  • Kernel32 = Kernel32.exe
  • Microsoft Explorer(64) = explorer64.exe
  • Microsoft Update 32 = msupdate32.exe
  • MSConfig = MSCONFIG32.EXE
  • Perfomance Monitoring = Perfhmon.exe
  • System Configuration = syscfg32.exe
  • System Security = runxdll.exe
  • Temp Modem Driver = temptr.exe
  • Windows Xplorer = Explorer2.exe
  • Winsock_2 driver = wuaumqr.exe
  • Winsock2 driver = change.exe
  • Winsock2 driver = LSASSS.EXE
  • Winsock2 driver = mswin32.exe
  • Winsock2 driver = RunDLL32.exe
  • Winsock2 driver = Sclhost.exe
  • Winsock2 driver = syscfg32.exe
  • Winsock2 driver = taskmger.exe
  • Winsock2 driver = Win32.exe
  • Winsock2 driver = wincfg.scr
  • Winsock2 driver = wuaumqr.exe
  • Winsock2 driver = wupdmgr.exe
  • Winsock2 = driver busty_stripper.scr
  • Winsockport = kerneil32.exe
  • Wupdate driver = 5py.exe
  • Wupdate driver = wupdadte.exe

After installing itself, this worm terminates its running copy and deletes it. At the same time, it begins a new process and continues with the rest of it its routines by executing the dropped copy.

Additionally, this malware registers itself as a service process so that its activities are hidden from the Task Manager in Windows 95, 98 and ME.

Propagation via KaZaA

The malware creates the folder KAZAABACKUPFILES or TMPKAZAA in the System folder and drops a copy of itself using any of the following file names:

  • (KEYGEN) FLUKE.NETWORK.INSPECTOR.V5-KEYGEN.EXE
  • 3D STUDIO MAX V5.0 - KEYGEN.EXE
  • ACDC CRACK.EXE
  • AGNITUM PRO CRACK.EXE
  • AIMVISION.EXE
  • ALICIA_KEYS XXX.JPG.EXE
  • ANNA.JPG.EXE
  • ANTIVIRUS.EXE
  • AOL SPEEDHACK.EXE
  • AOL URGENT UPGRADE.EXE
  • AQUANOX2 CRACK.EXE
  • ARIA GIOVANNI.JPG.EXE
  • AVP_CRACK.EXE
  • BATTLEFIELD 1942 CRACK.EXE
  • BATTLEFIELD_1942.KEYGEN.FDX.SHAREREACTOR.EXE
  • BATTLEFIELD1942_BLOODPATCH.EXE
  • BRITNEY SPEARS PUSSY.EXE
  • BRITNEY_SPEARS_SPREAD.JPG.EXE
  • C&C GENERALS_CRACK.EXE
  • C&C.GENERALS-KEYGEN.EXE
  • CARTOON HENTAI.JPG.EXE
  • CHESS MASTER 8.0.EXE
  • CHRISTINA AGUILERA PUSSY.JPG.EXE
  • CHRISTINA AGUILERA SPREAD.JPG.EXE
  • CHRISTINA_AGUILERA_NUDE.JPG.EXE
  • CONFERENCE ROOM.EXE
  • COUNTER-STRIKE_NOCD-CRACK.EXE
  • CRACK.EXE
  • CS WORKINGONLINE KEY GEN.EXE
  • CS-KEYGEN.EXE
  • CUNTJUICE.JPG.EXE BANGBUS.JPG.EXE
  • DEFTONES - MINERVA(NOT A LOOP).MP3.EXE
  • DEV-NFS.EXE
  • DIABLO 2 BATTLE NET CHARACTER EDITOR.EXE
  • DIABLO 2 WORKING BNET
  • DIVX 5.0.5.EXE DIABLO 2 EXPANSION.EXE
  • DIVX 5.04 PROFESSIONAL.EXE
  • DIVX BUNDLE WITH ALL PLUGINS/CRACKED.EXE
  • DOWNLOAD_ME.EXE
  • DR DOS TOOLS.ZIP.EXE CABLE MODEM UNCAPPING.PIF
  • EATOP605KG.EXE
  • EDONKEY 2000.EXE
  • EEYE CRACK.EXE
  • ELIZA DUSHKU XXX.JPG.EXE
  • EMINEM - UNRELEASED.MP3.EXE
  • EVIL.EXE
  • EVILBOT.EXE
  • EZ TRUST ANTIVIRUS.EXE
  • FIFA2003 CRACK.EXE
  • FLOOD.EXE NUKE.EXE
  • FOOTBALL GAME(OLD SCHOOL).EXE
  • FREE MONEY.PIF
  • FREE_PORN_PASSWORDS.EXE
  • FREELANCER KEYGEN.EXE
  • FRUITY LOOPS CRACK.EXE
  • FRUITY LOOPS.EXE NERO
  • GAMECUBE EMULATOR.EXE
  • GENERATOR.EXE WINDOWS XP KEYGEN.EXE
  • GISELE BUNDCHEN.JPG.EXE
  • GWEN STEFANI NUDE.JPG.EXE
  • HALFLIFE KEY GENERATOR.EXE
  • HALF-LIFE_NOCD-CRACK.EXE STYLEXP.EXE
  • HENTAI FUCKING AND SUCKING.MPEG.EXE
  • HOW TO GET LATEST RELEASES.PIF
  • HOW TO KILL SOMEONE.PIF
  • HOW TO MAKE FREE CALLS.PIF
  • HOW TO SPEED UP TRANSFERS IN KAZAA.PIF
  • HV-MAX5-KG.EXE
  • IRCD SOFTWARE.EXE
  • IRCRAFT SIMULATOR.EXE
  • JENNA JAMESON.JPG.EXE
  • JENNIFER ANISTON XXX.JPG.EXE
  • JENNIFER LOPEZ PUSSY.JPG.EXE
  • JENNIFER LOVE HEWITT XXX.JPG.EXE
  • JENNIFERLOPEZ SPREAD.JPG.EXE
  • JESSICA ALBA XXX.EXE
  • JIGSAW.EXE
  • JLONUDE.JPG.EXE
  • KASPERSKY CRACK.EXE
  • KATE HUDSON NAKED.JPG.EXE
  • KAZAA LITE.EXE
  • KAZAA SPEEDHACK.EXE KAZAA 2.5 UPGRADE[BEST].EXE
  • KAZAA UPGRADE SOFTWARE.EXE
  • KAZAA.EXE WHY USA IS GONNA WIN.PIF
  • KAZAASPEED.EXE
  • KELLY HUXXX.JPG.EXE
  • KEYGEN.EXE
  • KIRSTEN DUNST NUDE.JPG.EXE
  • LIVE WEBCAMS.EXE
  • MADONNA_NUDE.JPG.EXE
  • MANDY MOORE NAKED BEACH.JPG.EXE
  • MANDY MOORE-XXX.JPG.EXE MADONNA XXX.JPG.EXE
  • MARIAH CAREY TITS.JPG.EXE
  • MARIAH_CAREY_NUDE.JPG.EXE
  • MATRIX 2 SCRIPT.PIF
  • MCAFEE UPGRADE CRACK.EXE
  • MELISSA.JPG.EXE
  • MICROSOFT IIS CRITICAL UPGRADE.EXE
  • MICROSOFT SIMULATOR CRACK.EXE
  • MICROSOFT URGENT UPGRADE.EXE
  • MIRC KEYGEN.EXE
  • MONICA BELLUCCI XXX.JPG.EXE
  • MUDVAYNE - UNRELEASED.MP3.EXE
  • NAS - UNRELEASED.MP3.EXE
  • NBA2003_CRACK.EXE
  • NERO 5.9.10.X KEY GENERATOR.EXE
  • NERO 6.0 KEY GENERATOR.EXE
  • NERO_5.X.X_KEYGEN KAZAA_SPEEDUP.EXE
  • NEVERWINTER NIGHTS SERIALS.EXE
  • NICE WET PUSSY.JPG.EXE
  • NICEPUSSY.JPG.EXE
  • NOKIA CELLPHONE PHREAKER.EXE
  • NORTON ANTIVIRUS 2003.EXE
  • NORTON SYSTEMWORKS CRACK.EXE
  • NORTON_ANTIVIRUS.EXE
  • NULLSOFT INSTALLER.EXE
  • OPERA601KEY.EXE
  • PALIN.EXE
  • PAMELAXXX.JPG.EXE
  • PASSWORDCRACKER.EXE
  • PC-CILLIN CRACK.EXE
  • PINBALL.EXE
  • PORN.EXE
  • PORNPASS.EXE DREAMWEAVER_CRACK[WORKS!].EXE
  • POSTAL2CRACK.EXE
  • POWERDVD CRACK.EXE
  • POWERDVD XP V4.0
  • PS2 PLAYSTATION2 EMULATOR.EXE
  • QUAKE3 %20 BOT.EXE
  • QUICKTIME 6 PRO KEYGEN.EXE
  • QUICKTIME PRO %20 CRACK.EXE
  • RAYMAN.EXE
  • REALPLAYER GOLD %20CRACK.EXE
  • RED FACTION CRACK.EXE
  • REESE WITHERSPOON.JPG.EXE
  • SEGA EMULATOR WITH SONIC GAMEPACK.EXE
  • SHAKIRA PUSSY.JPG.EXE
  • SHAKIRA XXX.JPG.EXE SHANIA
  • SHAKIRA_XXX.JPG.EXE
  • SNAKE.EXE
  • SNES EMULATOR.EXE
  • SNOWBALL.EXE
  • SONIC FOUNDRY ACID PRO 4.0 KEYGEN(1).EXE
  • SOPHOS CRACK.EXE
  • SOULSEEK 4.0 UPGRADE.EXE BEARSHARE 4.01.EXE
  • SQUIRT.JPG.EXE
  • SQUIRT_QUEEN_14.JPG.EXE
  • SQUIRTER.JPG.EXE
  • STYLEXP_FULL.EXE STYLEXP_CRACK.EXE
  • SUPER NINTENDO EMULATOR(PLAY ONLINE).EXE
  • SYGATE FIREWALL PRO CRACK.EXE
  • TETRIS EMULATOR.EXE
  • TETRIS.EXE
  • THE HULK PREVIEW.PIF
  • THE MATRIX 3 PREVIEW.PIF
  • THE SIMS NUDE.EXE A
  • TIFFANI-AMBER THIESSEN PUSSY.JPG.EXE
  • TONI BRAXTON NUDE.JPG.EXE
  • TRILLAIN CRACK.EXE
  • TRILLIAN PRO CRACK.EXE
  • TRILLIAN SERIALS.TXT.EXE
  • TROJAN_REMOVER.EXE
  • TROJAN_REMOVER.EXE
  • TWAIN XXX.JPG.EXE
  • UNREAL2_BLOODPATCH.EXE
  • UT2003_BLOODPATCH.EXE
  • VMWARE 320 KEYGEN (1).EXE
  • WET_PUSSY.EXE
  • WETCUNT.JPG.EXE
  • WINAMP CLASSIC 2.81.EXE
  • WINDOWS 2000 PROFFESSIONAL.ISO.EXE
  • WINDOWS WORKING KEY
  • WINDOWS XP PROFESSIONAL KEYGEN BY CAFO.EXE
  • WINDOWS XP PROFESSIONAL.ISO.EXE
  • WINMX UPGRADE.EXE
  • WINMX.EXE
  • WINXP_KEY_GENERATOR.EXE
  • WINZIP CRACK.EXE WINRAR CRACK.EXE
  • XBOX EMULATOR GAMES PACK.EXE
  • XBOX EMULATOR -WORKING-.EXE
  • XBOX EMULATOR.EXE
  • XPKEY.EXE
  • ZONEALLARM_PRO_CRACK.EXE

It would then create any of the following registry entries, depending on the name of folder created, KAZAABACKUPFILES or TMPKAZAA. The following registry entries set the created folder as "shared" in Kazaa:

HKEY_CURRENT_USER\Software\Kazaa\LocalContent
Dir0=�012345:%System%\%Directory%

HKEY_CURRENT_USER\Software\Kazaa\LocalContent
Dir0="012345:&System%\%Directory%

(Note: %Directory% is the name of the folder created by the malware, which could be TMPKAZAA or KAZAABACKUPFILES.)

Backdoor Capability

Once active, this malware attempts to connect to an Internet Relay Chat (IRC) server where it joins a channel. Via IRC, it is able to receive commands from remote users, who in turn may perform any of the following:

  • Steal Windows cached passwords
  • Activate a keylogger remotely
  • Act as Hyper Text Transfer Protocol (HTTP) Web page server
  • Open and close CD-ROM tray
  • Scan ports
  • Download file(s)
  • Perform Denial of Service (DoS) attack against other systems
  • List and terminate running processes
  • List system information
  • Browse files on the compromised system
  • Execute a file remotely

This malware may drop the following files to contain recorded keystrokes in the Windwos system folder:

  • KEYLOG.TXT
  • LOG.TXT

It may also allow remote users to issue a command that installs a copy of this malware on another host. The command tells this malware to drop a copy of itself, using the file names FILE.EXE or EXPLORER.EXE, in any of the following hard-coded folders on the target system:

  • Documents and Settings\All Users\Menu Start\Programma's\Opstarten
  • WINDOWS\All Users\Start Menu\Programs\StartUp
  • WINNT\Profiles\All Users\Start Menu\Programs\Startup
  • WINDOWS\Start Menu\Programs\Startup
  • Documenti e Impostazioni\All Users\Start Menu\Programs\Startup
  • Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup
  • Documents and Settings\All Users\Start Menu\Programs\Startup

Since these folders are common startup folders, this malware is likely to be automatically executed on the target system in the next startup.

Process Termination

This malware may terminate the following processes, which are Windows utilities:

  • NETSTAT.EXE
  • TASKMGR.EXE
  • MSCONFIG.EXE
  • REGEDIT.EXE

This routine makes manual malware removal difficult without the use of third party utilities.

Other Details

This worm is written in C and usually arrives compressed with ASPACK, PEPACK, UPX or FSG! compression software.




Analysis by: Alejandro Mendoza


SOLUTION


Minimum scan engine version needed: 6.500

Pattern file needed: 1.641.24

Pattern release date: Sep 3, 2003


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

To automatically remove this malware from your system, please refer to the Trend Micro Damage Cleanup Engine and Template.

MANUAL REMOVAL INSTRUCTIONS

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your system with your Trend Micro antivirus product.
  2. NOTE all files detected as WORM_SPYBOT.B.

Trend Micro customers need to download the latest pattern file before scanning their system. Other Internet users may use Housecall, Trend Micro�s free online virus scanner.

Terminating the Malware Program

Since this malware terminates the Windows NT and 2000 Task Manager and is invisible on the Windows 95, 98, and ME Task Manager, you need to use a process viewer to terminate this malware.

One such utility is Process Explorer from SystInternals. This small program can be downloaded freely from the SysInternals site.

Once you have downloaded the utility, locate and terminate the process of the file(s) detected earlier.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

To remove the malware autostart entries:

  1. Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry or entries:
    <malware detected earlier>
    Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.
  4. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>RunOnce
  5. In the right panel, locate and delete the entry or entries:
    <malware detected earlier>
  6. Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Locating a Malware File

On Windows 9x/NT

  1. Click Start>Find>Files and Folders.
  2. In the Named input box, type:
    KEYLOG.TXT
    LOG.TXT
  3. In the Look In drop-down list, select the drive which contains Windows, then press Enter.

On Windows 2000/ME/XP

  1. Click Start>Search>For Files and Folders.
  2. In the Search for files and folders named input box, type:
    KEYLOG.TXT
    LOG.TXT
  3. In the Look In drop-down list, select the drive which contains Windows, then press Enter.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_SPYBOT.B. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.