Virus

W32/SpyBot!worm

Analysis

Copies itself to the Windows folder as the hidden file winstep32.exe. It sets the file time to be the same as the the program explorer.exe, found in the Windows folder. It then deletes the original file.
Creates a mutex named Nan0t3k.
Adds the value:
Intel Proc = undefinedWINDOWSundefined\winstep32.exe, where undefinedWINDOWSundefined refers to the Windows folder
to the registry subkeys

HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Adds the value:
EnableDCOM = "N"
to the registry subkey

HKLM\Software\Microsoft\OLE
Adds the values:
restrictanonymous = 1
restrictanonymoussam = 1
to the registry subkey

HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Copies itself into the following folders:
- Documents and Settings\All Users\Start Menu\Programs\Startup
- Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup
- Documenti e Impostazioni\All Users\Start Menu\Programs\Startup
- WINDOWS\Start Menu\Programs\Startup
- WINNT\Profiles\All Users\Start Menu\Programs\Startup
- WINDOWS\All Users\Start Menu\Programs\StartUp
- Documents and Settings\All Users\Menu Start\Programma's\Opstarten
Modifies the HOSTS file, blocking some antivirus websites.
Attempts to terminate certain processes, such as:
- AVSERVE.EXE
- MSNSS.EXE
- REGSVC32.EXE
- REGSVS.EXE
- WINBOT.EXE
- WINDOW.EXE
- WINLINK32.EXE
- WUPDATED.EXE
Connects to transistor.101main.com and the Internet Relay Chat (IRC) server hotsx0r.org and joins a channel. It then sends user information to the server and waits for remote malicious commands from the worm's author.
Opens backdoors on TCP port 113 and a random port.
Uses the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) Vulnerability to spread.

Recommended Action

FortiGate systems:

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Patch
Download and install the patch for the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability at http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date	Version	Detail
2024-03-17	92.02543
2023-12-27	92.00101
2023-12-25	92.00041
2023-12-20	91.09891
2023-12-18	91.09831
2023-12-13	91.09681
2023-11-12	91.08725
2023-11-09	91.08661
2023-11-09	91.08656
2023-11-08	91.08614

ID	6386
Released	Aug 26, 2005
Description Updated	Mar 13, 2007
Aliases	Backdoor.Win32.Nanobot.b, IRC/BackDoor.SdBot.150.AG, W32.Spybot.Worm, W32/Spybot, W32/SpyBot!worm, W32/SpyBot.A-net
Platform Profile	Win32 file format / PE 32 bit
Profile Type	Worm (worm)

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

Virus

W32/SpyBot!worm

Analysis

Recommended Action

Telemetry

Detection Availability

Version Updates

News/Research

Research Center

PSIRT Center

Services

By Outbreak

By Solution

By Product

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

Threat Intelligence Center

Resource Center

About

FortiGuard Labs

Partners

Virus

W32/SpyBot!worm

Analysis

Recommended Action

Telemetry

Detection Availability

Version Updates

Threat Intelligence
Center