Sophos

W32/Spybot-CB

Category
Type
What to do
Prevalence low high

Summary

 
Protection available since 19 May 2004 14:16:08 (GMT)
Detected by All Sophos products
Sophos beta program Sophos beta program
Register now for our latest beta tests
  • Endpoint Security and Control 9.0
  • Small business solutions 4.0

Action

Please follow the instructions for removing worms.

Change any data that may have become compromised.

Renaming the registry editor

  • Using Windows explorer, browse to the Windows folder (usually C:\Windows or C:\Winnt) right-click Regedit.exe and make a copy of it.
  • Rename the copy of Regedit.exe to Regedit.com.
  • At the taskbar, click Start|Run. Type 'Regedit.com' and press Return. The registry editor opens.
Windows NT/2000/XP

In Windows NT/2000/XP you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Data Server = AUTODISC.EXE

and delete it if it exists.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunOnce\Windows Data Server = AUTODISC.EXE

and delete it if it exists.

Close the registry editor and reboot your computer.

More Information

W32/Spybot-CB is a network worm with backdoor Trojan functionality.

W32/Spybot-CB attempts to move itself to AUTODISC.EXE in the Windows
System folder and creates entries in the registry at the following locations to run
itself on system logon:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Windows Data Server = AUTODISC.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Data Server = AUTODISC.EXE

W32/Spybot-CB also attempts to copy itself to the startup folder of attached
network drives and can be used to record the keystrokes on the compromised
machine, effectively acting as a keylogger. This worm can also be used to initiate SYNFlood attacks.

W32/Spybot-CB remains resident, running in the background as a service
process and listening for commands from remote users via IRC channels.

W32/Spybot-CB attempts to terminate various programs including the
following:

NETSTAT.EXE
MSCONFIG.EXE
REGEDIT.EXE
TASKMAN.EXE
NAVAPW32.EXE
MMC.EXE
NAVAPW.EXE
TASKMGR.EXE
MSANTIV32.EXE
DUMP3-2INI.EXE
MSTASK.EXE
TASKMON.EXE

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer