"Worm.P2P.Spybot" targeting Kazaa

Just thought I'd pass this along; I starting picking up activity from this bot a couple of days ago, but didn't actually snag it until yesterday. Here's the DSLR thread I started:
http://www.broadbandreports.com/forum/remark,6921859~root=security,1~mode=flat

The program is probably spreading more via Kazaa but it can spread via open Windows file shares, too, which is how I am seeing it.

Philip Sloss

Added URL tags

 

Just as an "add," I've started a page on this thing here:
http://www.lupwa.org/malware/KazaaSpyBot.html

It's still incomplete and doesn't add any new facts; it has a few more details on when and how this variant was spotted...

Philip Sloss

 

"Dir0
SOFTWARE\KAZAA\LocalContent
012345:%s"

You see this only in a few samples

"Dir0
SOFTWARE\KAZAA\LocalContent
012345:"

is in all

xor

 

I only have the one file, copied about 25 times now in the last day or so (and about the same number of events prior to being able to receive the file). If any of the other variants are propagating via Windows file sharing (rather than Kazaa), then I'm just not seeing them where I am.

As for "012345:%s" vs. "012345:", that's likely just a difference in approach to combining strings (the former being printf-style concatentation).

What it probably means is that all variants spread via Kazaa, but the other functions vary.

The McAfee write-up of the family describes several characteristics in the single variant I have. Here's a direct link:
http://vil.mcafee.com/dispVirus.asp?virus_k=100282

Philip Sloss

 

Just an update: there are at least three other variants that are scanning for open file shares on tcp/445...those were collected overnight...nothing significantly different in what these do, except the botnets are different (different server names, channels, etc).

Philip Sloss