WORM_SPYBOT.BD

Malware type: Worm

In the wild: No

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, and XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This worm uses a hardcoded list of weak user names and passwords to access a particular machine. It then propagates via the accessed system's network shares.

Upon execution, it drops the file MSAUTO32.EXE in the Windows System folder.

This worm also has backdoor capabilities. It has a built-in IRC (Internet Relay Chat) client engine, which enables it to connect to a remote IRC server, join a specific channel and await for commands from a remote user.

This worm also steals CD keys of certain game applications.

It runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:

Description created: Jul. 2, 2004 5:27:43 AM GMT -0800
Description updated: Jul. 2, 2004 6:04:21 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 81,920 Bytes

Initial samples received on: Jul 2, 2004

Details:

Installation and Autostart

Upon execution, it drops the file MSAUTO32.EXE in the Windows system folder.

(Note: The Windows system folder is usually C:\Windows\System on Windows 95, 98, and ME, C:\WINNT\System32 on Windows 2000 and NT, and C:\Windows\System32 on Windows XP.)

It adds the following registry entries to ensure automatic execution upon every Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run
MS Autoloader 32 = "MSAuto32.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunServices
MS Autoloader 32 = "MSAuto32.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
MS Autoloader 32 = "MSAuto32.exe"

This worm disables the Distributed Component Object Model (DCOM) of the infected system by modifying the following Windows registry entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
EnableDCOM = "N"

It also disables enumeration of SAM accounts and names by modifying the following registry entry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
Restrictanonymous = "dword:00000001"

Network Propagation

This worm uses a hardcoded list of weak user names and passwords to access a particular machine. It then propagates via the accessed system's network shares, which are the following administrative folders where it drops and executes a copy of itself:

  • C$\Windows\System32
  • C$\Winnt\System32
  • Admin$\Winnt\System32
  • IPC$

It uses the following hardcoded list of weak user names and passwords to attack targeted machines:

USER NAMES:

  • adm
  • administrador
  • administrat
  • administrateur
  • administrator
  • admins
  • computer
  • database
  • db2
  • dba
  • default
  • guest
  • oracle
  • owner
  • staff
  • student
  • teacher
  • wwwadmin

PASSWORDS:

  • 007
  • 1
  • 12
  • 123
  • 1234
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • 2000
  • 2001
  • 2002
  • 2003
  • 2004
  • access
  • accounting
  • accounts
  • asd
  • backup
  • bill
  • bitch
  • blank
  • bob
  • brian
  • changeme
  • chris
  • cisco
  • compaq
  • control
  • data
  • databasepass
  • databasepassword
  • db1
  • db1234
  • dbpass
  • dbpassword
  • dell
  • demo
  • domain
  • domainpass
  • domainpassword
  • eric
  • exchange
  • fred
  • fuck
  • george
  • god
  • hell
  • hello
  • home
  • homeuser
  • hp
  • ian
  • ibm
  • internet
  • intranet
  • jen
  • joe
  • john
  • kate
  • katie
  • lan
  • lee
  • linux
  • login
  • loginpass
  • luke
  • mail
  • main
  • mary
  • mike
  • neil
  • nokia
  • none
  • null
  • oem
  • oeminstall
  • oemuser
  • office
  • orainstall
  • outlook
  • pass
  • pass1234
  • passwd
  • password
  • password1
  • peter
  • pwd
  • qaz
  • qwe
  • qwerty
  • sam
  • server
  • sex
  • siemens
  • slut
  • sql
  • sqlpassoainstall
  • sue
  • susan
  • system
  • technical
  • test
  • unix
  • user
  • web
  • win2000
  • win2k
  • win98
  • windows
  • winnt
  • winpass
  • winxp
  • www
  • xp
  • zxc

Backdoor Capabilities

This worm has a built-in IRC (Internet Relay Chat) client engine, which enables it to connect to a remote IRC server, join a specific channel and await for commands from a remote user.

  • Retrieve system information
  • Download/Update of itself
  • Search file
  • Send private message
  • Sniff packets
  • Launch denial of service attack
  • Log keystrokes
  • Capture video
  • Execute command
  • Redirect TCP
  • List threads

Information Theft

This worm also steals CD keys of the following game applications:

  • Battlefield 1942
  • Battlefield 1942 Road To Rome
  • Black and White
  • Command & Conquer
  • Counter-Strike ( Retail )
  • FIFA 2002
  • FIFA 2003
  • Freedom Force
  • Global Operations
  • Half-Life
  • Hidden & Dangerous 2
  • IGI 2: Covert Strike
  • James Bond 007: Nightfire
  • Medal of Honor: Allied Assault
  • Nascar Racing
  • Need for Speed
  • Neverwinter
  • NHL 2002
  • NHL 2003
  • NFSHP2
  • Project IGI 2
  • Rainbow Six III RavenShield
  • Shogun: Total War: Warlord Edition
  • Soldier of Fortune II - Double Helix
  • The Gladiators
  • Unreal Tournament 2003
  • Unreal Tournament 2004
 
 
 

Analysis by: Imelda Yap

Revision History:

First pattern file version: 5.988.10
First pattern file release date: Apr 27, 2009

SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 5.989.00

Pattern release date: Apr 27, 2009


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your system with your Trend Micro antivirus product.
  2. NOTE all files detected as WORM_SPYBOT.BD.

Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro�s free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    � On Windows 95, 98, and ME, press
    CTRL%20ALT%20DELETE
    � On Windows NT, 2000, and XP, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    MS Autoloader 32 = "MSAuto32.exe"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  5. In the right panel, locate and delete the entry:
    MS Autoloader 32 = "MSAuto32.exe"
  6. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  7. In the right panel, locate and delete the entry:
    MS Autoloader 32 = "MSAuto32.exe"
  8. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_SPYBOT.BD. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.