high
Summary
Summary
Action- More Information
| Included in our products from | September 2004 (3.85) |
|---|---|
| Protection available since | 23 July 2004 10:07:24 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Spybot-CY is a network aware worm with backdoor Trojan functionality.
W32/Spybot-CY consists of a dropper EXE component and a dropped DLL file containing the worm and Trojan components. The dropper EXE injects the DLL into the Explorer process, thereby hiding the worm thread from the user.
When first run, W32/Spybot-CY copies itself into the Windows System folder as winstall.exe and runs this copy. The copy drops the DLL file wininet32.dll into the Windows System folder and injects the DLL into the Explorer process.
In order to run each time Windows is started, W32/Spybot-CY sets the following registry entries:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\
UpdateCheck = winstall.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
UpdateCheck = winstall.exe
W32/Spybot-CY monitors these registry entries and restores them if they are deleted. The worm keeps copies of itself in the Windows user Temporary folder. These files have random names with a TXT extension. The worm uses these files to restore the dropper EXE component if it gets deleted.
W32/Spybot-CY spreads by copying itself to network shares with weak passwords. The worm also scans random IPs for computers with the RPC/DCOM vulnerability and will attempt to spread to these computers using the RPC/DCOM exploit.
W32/Spybot-CY contains an extensive backdoor IRC Trojan component. The Trojan component logs on to predefined IRC servers and joins a predefined channel.
W32/Spybot-CY will then listen for backdoor commands which it will execute on the infected computer. The backdoor can be used to:
- Copy, delete, run, send and download files on the infected computer.
- Log keyboard presses to file and to IRC.
- Steal passwords from the infected computer.
- Control the infected computer's keyboard.
- Redirect and spoof internet traffic.
- Scan for open ports on other computers.
- Take part in Denial of Service attacks by packet flooding.
- List and kill processes.
- Update itself.
- Set up an HTTP web server to allow browser access to the computer's file system.
- Send raw IRC commands.
- Make the keyboard lights flash.
- Open and close the CD-ROM tray.
- Make pre-configured changes to the registry.
A malicious user can instruct the worm to ensure that it is automatically run by Windows by altering additional registry entries and modifying system.ini:
[boot]
shell = "explorer.exe winstall.exe"
W32/Spybot-CY will attempt to terminate a number of anti-virus and system monitoring processes, including:
STINGER.EXE
DRWEBSCD.EXE
SPIDER.EXE
AvpM.exe
CLRAV.COM
FP-Win.exe
NAV32.EXE
clarv.exe
TCPView.exe
TASKKILL.EXE
TASKLIST.EXE
AVP.EXE
DRWEB32.EXE
DRWEB.EXE
NETSTAT.EXE
TASKMGR.EXE
MSCONFIG.EXE
REGEDIT.EXE
|
