high
Summary
Summary
Action- More Information
| Protection available since | 6 November 2003 10:02:12 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Check your administrator passwords and review network security.
Change any passwords that may have become compromised.
More Information
W32/Spybot-W is a peer-to-peer worm that spreads via network drives, email, Messenger and the IRC network.
In order to run automatically on system startup the worm copies itself to the file wupdated.exe in the Windows system folder and registers itself as the wupdated (Windows Update Service) service process.
The worm attempts to copy itself to the Windows system folder on attached network drives with weak passwords and to start itself on the remote computer as the Windows Update Service.
The worm tries the following usernames and passwords in all possible combinations:
wwwadmin
user
system
sqlagent
sql
root
owner
guest
database
administrator
admin
!@#$%^&*
!@#$%^&
!@#$%^
!@#$%
!@#$
654321
123456
1234
123
111
1
wwwadmin
user
system
sqlagent
sql
server
secret
root
password
password123
pass
pass123
owner
hidden
guest
database
asdfgh
asdf
administrator
admin
In order to spread via IRC the worm attempts to modify the configuration files of the popular mIRC client. Each user that joins the same channel the current user is on will receive a message urging him to download a copy of the worm.
W32/Spybot-W attempts to spread via the MSN, AIM and Yahoo messenger networks by sending the message "hey, check out this funny pic: http://www.rf-mods.com/bot.pif."
W32/Spybot-W has an IRC backdoor component which has keylogging and backdoor capabilities. The worm connects to an IRC server announcing the infection and allows a malicious user remote access to the computer.
|
