| ID | 6386 |
| Released | Aug 26, 2005 |
| Description Updated | Mar 13, 2007 |
Detection Availability
| FortiGate | |
|---|---|
| Extended |
|
| FortiClient |
|
| FortiMail |
|
| FortiSandbox |
|
| FortiWeb |
|
| Web Application Firewall |
|
| FortiIsolator |
|
| FortiDeceptor |
|
| FortiEDR |
|
Threat Profile
Aliases:- Backdoor.Win32.Nanobot.b
- IRC/BackDoor.SdBot.150.AG
- W32.Spybot.Worm
- W32/Spybot
- W32/SpyBot!worm
- W32/SpyBot.A-net
Win32 file format / PE 32 bit
Type: Worm (worm)
Update History
| Date | Version | Detail |
|---|---|---|
| 2023-05-22 | 91.03512 | |
| 2023-05-16 | 91.03316 | |
| 2023-04-11 | 91.02260 | |
| 2023-03-30 | 91.01903 | |
| 2023-03-14 | 91.01420 | |
| 2023-03-04 | 91.01106 | |
| 2023-03-02 | 91.01062 | |
| 2023-02-21 | 91.00794 | |
| 2023-02-07 | 91.00371 | |
| 2023-02-07 | 91.00363 |
click on each chart to view data in detail.
[[threatName]]
Refine Search
Threat Encyclopedia
W32/SpyBot!worm
Analysis
- Copies itself to the Windows folder as the hidden file winstep32.exe. It sets the file time to be the same as
the the program explorer.exe, found in the Windows folder. It then deletes the original file.
- Creates a mutex named Nan0t3k.
- Adds the value:
Intel Proc = undefinedWINDOWSundefined\winstep32.exe, where undefinedWINDOWSundefined refers to the Windows folder
to the registry subkeys
HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce
HKLM\Software\Microsoft\Windows\CurrentVersion\Run - Adds the value:
EnableDCOM = "N"
to the registry subkey
HKLM\Software\Microsoft\OLE
- Adds the values:
restrictanonymous = 1
to the registry subkey
restrictanonymoussam = 1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
- Copies itself into the following folders:
- Documents and Settings\All Users\Start Menu\Programs\Startup
- Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup
- Documenti e Impostazioni\All Users\Start Menu\Programs\Startup
- WINDOWS\Start Menu\Programs\Startup
- WINNT\Profiles\All Users\Start Menu\Programs\Startup
- WINDOWS\All Users\Start Menu\Programs\StartUp
- Documents and Settings\All Users\Menu Start\Programma's\Opstarten
- Modifies the HOSTS file, blocking some antivirus websites.
- Attempts to terminate certain processes, such as:
- AVSERVE.EXE
- MSNSS.EXE
- REGSVC32.EXE
- REGSVS.EXE
- WINBOT.EXE
- WINDOW.EXE
- WINLINK32.EXE
- WUPDATED.EXE
- Connects to transistor.101main.com and the Internet Relay Chat (IRC) server hotsx0r.org and joins a
channel. It then sends user information to the server and waits for remote malicious commands from the worm's
author.
- Opens backdoors on TCP port 113 and a random port.
- Uses the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) Vulnerability to spread.
Recommended Action
-
FortiGate systems:
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has
been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Patch
- Download and install the patch for the Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability at http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx
✖