W32/Spybot.AF!tr
Analysis
- Virus is 32 bit with a file size of 47,136 bytes
- Virus contains instructions to connect with an
Internet server using a specific TCP port and await
instructions, and also spread to other computers across
a network
- If virus is run, it will copy itself to the System
folder as "svcdim.exe" and modify the registry
to run at Windows startup -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
"Wupdate driver" = svcdim [extra data]HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\
"Wupdate driver" = svcdim [extra data]
-
The virus will attempt to bind to TCP port 3113 and await commands from a malicious user
-
The virus could interpret any of the following commands and perform the related function -
.login
.info
.passwords
.threads
.killthread
.startkeylogger
.stopkeylogger
.listprocesses
.killprocess
.disconnect
.reconnect
.server
.quit
.reboot
.uninstall
.httpserver
.redirect
.raw
.download
.syn
.list
.delete
.rename
.execute
.makedir
.sendkeys
.keyboardlights
.cd-rom
.spy
.stopspy
.redirectspy
.stopredirectspy
.opencmd
.cmd
.get
.sendto
.scan
-
The virus will also attempt to connect with the IRC server IP address 82.192.74.42 using TCP port 6667 and also act as a bot, awaiting instructions from malicious users
-
The virus may attempt to location other machines across a network and attempt to copy itself to the IPC$ share of those systems into any of these paths -
Documenti e Impostazioni\All Users\Start Menu\Programs\Startup
Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup
Documents and Settings\All Users\Menu Start\Programma's\Opstarten
Documents and Settings\All Users\Start Menu\Programs\Startup
WINDOWS\All Users\Start Menu\Programs\StartUp
WINDOWS\Start Menu\Programs\Startup
WINNT\Profiles\All Users\Start Menu\Programs\Startup
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Using the FortiGate manager, disable access to
ports 3113 and 6667
- Also add the IP address 82.192.74.42 to the list of IPs and URLs to block