WORM_SPYBOT.NB

Malware type: Worm

Aliases: Packed.Win32.Klone.j (Kaspersky), W32/Sdbot.worm (McAfee), W32.Spybot.Worm (Symantec), TR/PCK.Klone.J.119 (Avira), W32/RBot-FOY (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Description: 

This memory-resident worm spreads via network shares. It uses a list of user names and passwords to gain access to other machines. It then drops a copy of itself in accessed network shares.

It has backdoor capabilities, which enables it to connect to an Internet Relay Chat (IRC) server, using random ports. This allows a remote user to access the infected system and perform malicious commands. It can also steal the Windows product ID and CD keys of popular game applications.

It runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:

Description created: Nov. 1, 2004 3:59:37 AM GMT -0800


TECHNICAL DETAILS


Size of malware: 74,778 Bytes (compressed);
443,904 Bytes (uncompressed)

Initial samples received on: Oct 28, 2004

Details:

Installation and Autostart Technique

Upon execution, this memory-resident worm drops the following copies of itself in the Windows system folder:

  • XCALIBRE.EXE
  • MSWORD.DAT

It then deletes executed file.

It also drops the following text file, which serves as a log file for all the activity that this worm performed on the infected system:

    %Root%\DEBUG.TXT

(Note: %Root% refers to the default root folder, which is usually C:\.)

It creates the following registry entries so that its dropped copy runs at every system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Msword = "XCALIBRE.EXE"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunOnce
Msword = "XCALIBRE.EXE"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\RunServices
Msword = "XCALIBRE.EXE"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
Msword = "XCALIBRE.EXE"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\RunOnce
Msword = "XCALIBRE.EXE"

Propagation via Network Shares

This worm uses the following list of user names and passwords to gain access to other systems:

  • 00000
  • 000000
  • 00000000
  • 0wn3d
  • 0wned
  • 111111
  • 11111111
  • 121212
  • 123123
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 12346
  • 123467
  • 1234678
  • 12346789
  • 123467890
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 54321
  • 654321
  • 88888888
  • ACCESS
  • ADMIN
  • ADMINISTRATOR
  • Admin
  • Alexander
  • BACKUP
  • FILES
  • GUEST
  • Internet
  • LOCAL
  • Login
  • Matthew
  • Nilez
  • PASSWORD
  • Password
  • Penis
  • Rosco
  • RoscoP
  • RoscoPColtrane
  • SERVER
  • SHARE
  • SYSTEM
  • WRITE
  • WindowsXP
  • abc123
  • academia
  • academic
  • accept
  • access
  • account
  • accounting
  • accounts
  • action
  • admin
  • admin123
  • administrator
  • adrian
  • adrianna
  • adult
  • aerobics
  • airplane
  • alaska
  • albany
  • albatros
  • albert
  • alert
  • alexande
  • algebra
  • alias
  • aliases
  • alice
  • alicia
  • alisa
  • alison
  • allison
  • allow
  • alpha
  • alphabet
  • amadeus
  • amanda
  • amber
  • america
  • amorphou
  • analog
  • anarchis
  • anarchy
  • anchor
  • andrea
  • android
  • andromac
  • angela
  • angerine
  • angie
  • animal
  • animals
  • anita
  • annette
  • anonymou
  • answer
  • anthrax
  • anthropo
  • anvils
  • anything
  • apollo13
  • april
  • ariadne
  • arlene
  • arrow
  • arthur
  • artist
  • asian
  • asshole
  • athena
  • atmosphe
  • attack
  • authoriz
  • aztecs
  • azure
  • bacchus
  • backdoor
  • backup
  • badass
  • bailey
  • banana
  • bananas
  • bandit
  • banks
  • barbara
  • barber
  • baritone
  • bartman
  • baseball
  • basic
  • bassoon
  • batch
  • batman
  • beach
  • beammeup
  • beast
  • beater
  • beauty
  • beaver
  • becky
  • beethove
  • begin
  • behead
  • beloved
  • beowulf
  • berkeley
  • berlin
  • berliner
  • beryl
  • betsie
  • betty
  • beverly
  • bible
  • bicamera
  • bigfoot
  • billy
  • binary
  • bishop
  • bitch
  • bitmap
  • bitnet
  • black
  • blank
  • blonde
  • blondie
  • blood
  • bloodaxe
  • blowjob
  • blues
  • board
  • boner
  • boobs
  • boyscout
  • bradley
  • brandi
  • brandy
  • bravo
  • break
  • breast
  • brenda
  • brian
  • bridget
  • broadway
  • brothel
  • bruce
  • brunette
  • brute
  • brutefor
  • bulls
  • bullshit
  • bumbling
  • burgess
  • butch
  • butthead
  • californ
  • camille
  • campanil
  • camping
  • candi
  • candy
  • cantor
  • capitol
  • captain
  • capture
  • cardinal
  • caren
  • carla
  • carmen
  • carol
  • carole
  • carolina
  • caroline
  • carrie
  • carson
  • cascades
  • castle
  • catherin
  • catholic
  • cathy
  • cayuga
  • cecily
  • celtic
  • celtics
  • cerulean
  • change
  • changeme
  • charity
  • charles
  • charlie
  • charming
  • charon
  • chemistr
  • chess
  • chester
  • chris
  • christin
  • christy
  • cigar
  • cigarett
  • cindy
  • cisco
  • class
  • classes
  • classic
  • claudia
  • claymore
  • cleavage
  • clinton
  • cluster
  • clusters
  • coast
  • cocacola
  • cocainco
  • codename
  • codeword
  • coffee
  • collins
  • color
  • combat
  • comics
  • commit
  • commrade
  • company
  • compaq
  • computer
  • computin
  • comrade
  • comrades
  • condo
  • condom
  • connect
  • connie
  • conserva
  • console
  • continue
  • control
  • cookbook
  • cookie
  • cooper
  • copper
  • corneliu
  • correct
  • counters
  • country
  • couscous
  • cowboy
  • crack
  • crackpot
  • crash
  • cream
  • create
  • creation
  • creature
  • credit
  • creosote
  • cretin
  • crime
  • criminal
  • cristina
  • crystal
  • cshrc
  • customer
  • cyber
  • cyberpun
  • cyberspa
  • cynthia
  • daemon
  • daisy
  • dancer
  • daniel
  • danielle
  • danny
  • dapper
  • darkaven
  • database
  • databasepass
  • databasepassword
  • db1234
  • dbpass
  • dbpassword
  • death
  • deathsta
  • debbie
  • deborah
  • debug
  • december
  • default
  • defoe
  • delta
  • deluge
  • democrat
  • denise
  • dennis
  • desiree
  • desktop
  • desperat
  • develop
  • device
  • devil
  • diamond
  • diana
  • diane
  • diehard
  • dieter
  • digital
  • dinosaur
  • dipshit
  • direct
  • director
  • dirty
  • discipli
  • disclose
  • discover
  • diskette
  • disney
  • display
  • doctor
  • dollar
  • domain
  • domainpass
  • domainpassword
  • donaldduck
  • doom2
  • doomii
  • doomsday
  • doonesbu
  • doors
  • download
  • dragon
  • drdoom
  • drive
  • drought
  • dudette
  • duelist
  • dulce
  • duncan
  • dungeon
  • eager
  • eagle
  • earth
  • easier
  • eatme
  • eddie
  • edges
  • edinburg
  • edition
  • educatio
  • edwin
  • edwina
  • egghead
  • eiderdow
  • eileen
  • einsiein
  • einstein
  • elaine
  • elanor
  • electron
  • elephant
  • elizabet
  • ellen
  • email
  • emerald
  • emily
  • emmanuel
  • enable
  • enemy
  • engine
  • engineer
  • england
  • english
  • enter
  • enterpri
  • enzyme
  • erenity
  • erica
  • erika
  • erotic
  • ersatz
  • establis
  • estate
  • eternity
  • euclid
  • evelyn
  • exchange
  • exchnge
  • expert
  • explode
  • explore
  • explorer
  • explosiv
  • extensio
  • fairway
  • faith
  • falcon
  • false
  • family
  • farad
  • faraday
  • felicia
  • fender
  • fermat
  • ferrari
  • fidelity
  • field
  • fight
  • finite
  • firewall
  • fishers
  • flakes
  • float
  • florida
  • flower
  • flowers
  • foobar
  • foolproo
  • football
  • force
  • foresigh
  • forever
  • format
  • fornicat
  • forsythe
  • fourier
  • foxtrot
  • france
  • frank
  • freak
  • freddy
  • freedom
  • french
  • friday
  • friend
  • friends
  • frighten
  • fryguy
  • fubar
  • fucked
  • fucker
  • fucking
  • fuckme
  • fuckyou
  • fudge
  • function
  • fungible
  • gabriel
  • games
  • gardner
  • garfield
  • gateway
  • gatherin
  • gauss
  • george
  • gertrude
  • ghost
  • gibson
  • gigabyte
  • ginger
  • glacier
  • godblessyou
  • golden
  • golfer
  • gorgeous
  • gorges
  • gosling
  • gouge
  • govermen
  • grades
  • graham
  • grahm
  • grand
  • grant
  • great
  • green
  • group
  • gryphon
  • guardian
  • gucci
  • guess
  • guessme
  • guest
  • guitar
  • gumption
  • guntis
  • hacked
  • hacker
  • hagar
  • hallowee
  • hamlet
  • hamster
  • handel
  • handily
  • handjob
  • happenin
  • hardcore
  • harddriv
  • harmony
  • harold
  • harvey
  • haven
  • hawaii
  • hax0r
  • headbang
  • headoffice
  • heathen
  • heather
  • heaven
  • hebrides
  • heidi
  • heinlein
  • hello
  • herbert
  • heroin
  • hewlett
  • hexadeci
  • hiawatha
  • hibernia
  • hidden
  • highland
  • hitler
  • holly
  • hollywoo
  • homepage
  • homer
  • homeuser
  • homework
  • honey
  • hooker
  • hooters
  • horny
  • horrible
  • horror
  • horse
  • horus
  • hotdog
  • hotel
  • hunter
  • hutchins
  • hydrogen
  • hyper
  • hypertxt
  • icecream
  • ihavenopass
  • illumina
  • image
  • imbrogli
  • immortal
  • imperial
  • include
  • india
  • indian
  • indiana
  • indians
  • ingres
  • ingress
  • ingrid
  • innocuou
  • input
  • inside
  • integer
  • internet
  • intranet
  • invent
  • irene
  • irishman
  • irule
  • jackie
  • janet
  • janice
  • janie
  • japan
  • jasmin
  • jeanne
  • jenni
  • jennifer
  • jenny
  • jerry
  • jerusale
  • jessica
  • jester
  • jewelry
  • jixian
  • joanne
  • johndoe
  • johnny
  • joseph
  • joshua
  • journal
  • joyce
  • judith
  • juggle
  • juicy
  • julia
  • julie
  • juliet
  • jupiter
  • karen
  • karie
  • karina
  • katana
  • kathleen
  • kathrine
  • kathy
  • katie
  • katina
  • katrina
  • kelly
  • kermit
  • kernel
  • kerri
  • kerrie
  • kerry
  • kevin
  • keybord
  • keyin
  • keyword
  • kiddie
  • killer
  • killthem
  • kimberly
  • kirkland
  • kissmyas
  • kitten
  • klingon
  • knife
  • knight
  • knightma
  • known
  • krista
  • kristen
  • kristi
  • kristie
  • kristin
  • kristine
  • kristy
  • ladies
  • ladle
  • lakers
  • lambda
  • laminati
  • laptop
  • larkin
  • larry
  • laser
  • laura
  • lazarus
  • lazer
  • lebesgue
  • leftwing
  • legal
  • leland
  • leroy
  • lesbian
  • leslie
  • letmein
  • lewis
  • lexluthe
  • liberal
  • library
  • licker
  • light
  • lightsab
  • limbaugh
  • limited
  • linda
  • linux
  • literatu
  • lockout
  • lockword
  • logic
  • login
  • loginpass
  • loginwor
  • logout
  • lolopc
  • loose
  • lorin
  • lorraine
  • loser
  • louis
  • lovebug
  • lover
  • lucus
  • lynne
  • machine
  • macintos
  • macro
  • maggot
  • magic
  • magnet
  • maint
  • malcolm
  • malcom
  • manager
  • marci
  • marcy
  • maria
  • mariens
  • marietta
  • marijuan
  • marines
  • markus
  • marni
  • marriage
  • marty
  • marvin
  • mason
  • master
  • maurice
  • meagan
  • megabyte
  • megadeth
  • megan
  • melissa
  • mellon
  • melrose
  • member
  • memory
  • menace
  • mercury
  • merlin
  • metal
  • metalhea
  • metalica
  • michael
  • michelan
  • michele
  • michelle
  • mickey
  • micro
  • microchi
  • micropro
  • microsof
  • midieval
  • minimum
  • minsky
  • misfit
  • mission
  • modem
  • mogul
  • moguls
  • monday
  • monica
  • moose
  • morley
  • morris
  • mortal
  • mortalco
  • mortgage
  • mosaic
  • mountain
  • mouse
  • movie
  • movies
  • mozart
  • msdos
  • muppets
  • mutant
  • mypass
  • mypass123
  • mypc123
  • nagel
  • nancy
  • napoleon
  • nepenthe
  • neptune
  • net-devil
  • netbios
  • netdevil
  • netfuck
  • netscape
  • network
  • newborn
  • newsgrou
  • newton
  • newyork
  • nicole
  • nicotine
  • night
  • nightmar
  • nintendo
  • nnaacp
  • noble
  • nobody
  • nokia
  • noreen
  • notes
  • novel
  • november
  • noxious
  • nuclear
  • nukem
  • number
  • nutritio
  • nyquist
  • obscurit
  • oceanogr
  • ocelot
  • oeminstall
  • oemuser
  • office
  • oldage
  • olivetti
  • olivia
  • omega
  • opening
  • openlock
  • opensesa
  • operator
  • oracle
  • orange
  • orient
  • orwell
  • oscar
  • osiris
  • outdoors
  • outlaw
  • outlook
  • output
  • outside
  • owned
  • owner
  • oxford
  • pacific
  • packard
  • packer
  • painless
  • paint
  • pakistan
  • pamela
  • paper
  • papers
  • pascal
  • pass1234
  • passphra
  • passwd
  • password
  • password1
  • paste
  • patricia
  • patrick
  • patriot
  • patty
  • paula
  • peanuts
  • pecker
  • pencil
  • penelope
  • penguin
  • penis
  • penname
  • pentagon
  • pentagra
  • penthous
  • pentium
  • peoria
  • pepper
  • pepsi
  • percolat
  • perfect
  • permit
  • persimmo
  • persona
  • pervert
  • peter
  • philip
  • phoenix
  • phone
  • photon
  • phrack
  • phrase
  • phreak
  • phuck
  • pierre
  • pinname
  • pizza
  • plane
  • playboy
  • plover
  • pluto
  • plymouth
  • poetry
  • police
  • polly
  • polynomi
  • ponderin
  • porno
  • porsche
  • poster
  • power
  • praise
  • precious
  • prelude
  • presto
  • prince
  • princeto
  • printer
  • private
  • privs
  • proceed
  • processo
  • professo
  • profile
  • program
  • prompt
  • protect
  • protozoa
  • psycho
  • psychopa
  • public
  • pumpkin
  • puneet
  • punisher
  • puppet
  • pussy
  • pw123
  • quebec
  • qwert
  • qwerty
  • rabbit
  • rachel
  • rachelle
  • rachmani
  • rainbow
  • raindrop
  • raleigh
  • random
  • rascal
  • razor
  • reagan
  • reality
  • really
  • reaper
  • rebal
  • rebecca
  • rebel
  • record
  • reddawn
  • redhead
  • referenc
  • regional
  • release
  • remote
  • renee
  • report
  • republic
  • resistan
  • reveal
  • rhino
  • riffraff
  • right
  • rightwin
  • ripple
  • roach
  • robert
  • robin
  • robot
  • robotics
  • robyn
  • rochelle
  • rocheste
  • rocky
  • rockyhor
  • rodent
  • rolex
  • romano
  • romeo
  • romulan
  • ronald
  • rooted
  • rosebud
  • rosemary
  • roses
  • rough
  • rubber
  • ruben
  • rules
  • running
  • salami
  • samantha
  • sample
  • sandra
  • sandy
  • sarah
  • satan
  • satanic
  • satanik
  • saturday
  • saturn
  • saxon
  • scamper
  • scheme
  • school
  • scifi
  • scorpion
  • scott
  • scotty
  • scout
  • script
  • scriptkiddie
  • search
  • secret
  • security
  • sensor
  • sentinel
  • sentry
  • serenity
  • serial
  • server
  • service
  • sesame
  • shannon
  • sharc
  • shark
  • sharks
  • sharon
  • sheffiel
  • sheldon
  • shell
  • sherri
  • shift
  • shirley
  • shitpot
  • shiva
  • shivers
  • short
  • shuttle
  • siemens
  • sierra
  • signatur
  • silver
  • simcity
  • simon
  • simple
  • simpsons
  • simulati
  • singer
  • single
  • skull
  • slave
  • slick
  • sliders
  • small
  • smart
  • smile
  • smiles
  • smooch
  • smother
  • snach
  • snafu
  • snake
  • snatch
  • snoopy
  • social
  • socrates
  • sodomy
  • software
  • somebody
  • sondra
  • sonia
  • sonic
  • sonya
  • sossina
  • source
  • south
  • spaceman
  • spaceshi
  • sparrows
  • spear
  • spell
  • spencer
  • spice
  • spider
  • spiderma
  • spred
  • spring
  • springer
  • spunk
  • sqlpass
  • squires
  • stacey
  • staci
  • stacie
  • stacy
  • staff
  • starship
  • start
  • startrek
  • startup
  • starwars
  • steak
  • steal
  • steel
  • steph
  • stephani
  • stereo
  • steve
  • stoneage
  • stoned
  • stones
  • strange
  • strangle
  • stratfor
  • streetfi
  • string
  • strip
  • student
  • student1
  • stuttgar
  • subscrib
  • subway
  • success
  • suckmydi
  • sucks
  • summer
  • sunday
  • super
  • superman
  • superson
  • supersta
  • superuse
  • supervis
  • support
  • supporte
  • surfer
  • surfing
  • susan
  • susanne
  • susie
  • suzanne
  • suzie
  • swearer
  • sweat
  • switch
  • sword
  • sybase
  • sybil
  • symmetry
  • sysadmin
  • sysop
  • system
  • tabasco
  • tamara
  • tamie
  • tammy
  • tangerin
  • tango
  • target
  • tarragon
  • taylor
  • teacher
  • teapot
  • tears
  • technical
  • teenage
  • telephon
  • telnet
  • temp123
  • temptati
  • tennis
  • terminal
  • terminat
  • test123
  • tester
  • testin
  • testing
  • tetris
  • thailand
  • theresa
  • thursday
  • tiffany
  • tiger
  • toggle
  • token
  • tokenrin
  • tomato
  • topograp
  • tortoise
  • toxic
  • toyota
  • traci
  • tracie
  • tracy
  • trails
  • transfer
  • trapdoor
  • trisha
  • trivial
  • trojan
  • trombone
  • truth
  • tubas
  • tuesday
  • turnip
  • tuttle
  • umesh
  • uncle
  • unhappy
  • unicorn
  • uniform
  • universa
  • universe
  • universi
  • unknown
  • unlock
  • upload
  • uranus
  • urchin
  • ursula
  • usenet
  • user1
  • usermane
  • username
  • userpassword
  • utility
  • uwontguessme
  • vagina
  • valerie
  • vampire
  • vasant
  • venus
  • veronica
  • vertigo
  • vicky
  • victor
  • video
  • videogam
  • village
  • virgin
  • virginia
  • virus
  • visitor
  • visual
  • visualba
  • vodka
  • warez
  • warfare
  • wargames
  • warren
  • watchwor
  • water
  • webpage
  • wednesda
  • weenie
  • wendi
  • wendy
  • werewolf
  • western
  • whatever
  • whatnot
  • whisky
  • white
  • whiting
  • whitney
  • wholesal
  • whore
  • wileecoyote
  • william
  • williams
  • willie
  • wilma
  • win2000
  • win2k
  • win98
  • windose
  • windows
  • windows2k
  • windows95
  • windows98
  • windowsME
  • windowz
  • windoze
  • windoze2k
  • windoze95
  • windoze98
  • windozeME
  • windozexp
  • winnt
  • winpass
  • winston
  • winxp
  • wired
  • wisconsi
  • wiseass
  • within
  • wizard
  • wolverin
  • woman
  • wombat
  • women
  • woodwind
  • wordperf
  • wormwood
  • wyoming
  • xmodem
  • xxxxx
  • xxxxxx
  • xxxxxxx
  • xxxxxxxx
  • xxxxxxxxx
  • xyzzy
  • yankee
  • yellow
  • yellowst
  • yolanda
  • yosemite
  • young
  • youwontguessme
  • zebra
  • zeitgeis
  • ziggy
  • zimmerma
  • zmodem
  • zombie

It also copies itself to all accessible systems in the network. It drops its copies in the following network shared drives:

  • C$\Windows\system32
  • C$\WINNT\system32
  • ADMIN$\system32
  • IPC$

Denial of Service Attack

This worm can also perform denial of service (DoS) attack to any site of the attacker�s choice by using the any of the following flooding methods:

  • Ping
  • SYN
  • UDP

Backdoor Capabilities

This worm has backdoor capabilities. It connects to the Internet Relay Chat (IRC) server will.soul-gate.net and joins the channel #mel# using MeLL-<random digits> as its nickname.

When a connection is established, this worm acts as an IRC bot that enables a remote malicious user to perform any of the following actions on the affected system:

  • Scan for exploits/open ports
  • Retrieve CD keys/system information
  • Start keylogging routine
  • List processes
  • Perform distributed denial of service (DDoS) attack
  • Locate files on a target system
  • List threads
  • Retrieve network information
  • Terminate processe/threads
  • Delete files
  • Send files via the DCC IRC command
  • List shares on system
  • Capture screenshots
  • Clone bot (the worm itself)
  • Send an email message
  • Download file via FTP
  • Launch SYN flood attack
  • Delete shared drives
  • Manipulate IRC privileges
  • Perform IRC commands (send message, kick a user, send a file, flood a channel etc.)
  • Upload/download files

This worm works on the following versions of IRC applications:

  • mIRC32 v6.12 K.Mardam-Bey
  • mIRC32 v6.10 K.Mardam-Bey
  • mIRC32 v6.03 K.Mardam-Bey
  • mIRC32 v6.01 K.Mardam-Bey
  • mIRC32 v6.1 K.Mardam-Bey

Information Theft

This worm steals the Windows product ID and CD keys of the following game applications:

  • Battlefield 1942
  • Battlefield 1942 Secret Weapons of WWII
  • Battlefield 1942 The Road to Rome
  • Command & Conquer Generals
  • Counter-Strike ( Retail )
  • FIFA 2003
  • Half-Life
  • IGI 2 Retail
  • Need For Speed Hot Pursuit 2
  • Neverwinter
  • Project IGI 2
  • Rainbow Six III RavenShield
  • Red Alert 2
  • Soldier of Fortune II - Double Helix
  • Tiberian Sun
  • Unreal Tournament 2003

It also uses a network sniffer known as Carnivore to retrieve passwords and other sensitive information from the affected system. This network sniffer checks for the following strings in the packets:

  • :!login
  • :!auth
  • :.auth
  • :.login

Other Details

This worm is written in Microsoft Visual C%20%20 and compressed using UPX.




Analysis by: Desiree Doroja anf Zarestel Ferrer


SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 3.849.00

Pattern release date: Oct 16, 2006


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your system with your Trend Micro antivirus product.
  2. NOTE all files detected as WORM_SPYBOT.NB.

Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro�s free online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    � On Windows 95, 98, and ME, press
    CTRL%20ALT%20DELETE
    � On Windows NT, 2000, and XP, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Msword = "Xcalibre.exe"
  4. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunOnce
  5. In the right panel, locate and delete the entry:
    Msword = "Xcalibre.exe"
  6. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>RunServices
  7. In the right panel, locate and delete the entry:
    Msword = "Xcalibre.exe"
  8. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  9. In the right panel, locate and delete the entry:
    Msword = "Xcalibre.exe"
  10. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>RunOnce
  11. In the right panel, locate and delete the entry:
    Msword = "Xcalibre.exe"
  12. Close Registry Editor.

NOTE: If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure sets.

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete all files detected as WORM_SPYBOT.NB. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro�s free online virus scanner.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.