W32.Spybot.Worm??????

Discussion in 'malware problems & news' started by Heath, Oct 13, 2003.

Thread Status:
Not open for further replies.
  1. Heath

    Heath Registered Member

    Joined:
    Aug 14, 2003
    Posts:
    60
    Location:
    Paris, Texas
    ok, what is W32.Spybot.Worm? i know its a virus, but im concerned, because it says spybot, it says worm, but norton called it a virus, so i put it in the virus things, so what should i do?
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Its neither a worm nor a virus in DANGER terms really..

    Its an IRC Bot, which connects to the specified IRC server and then awaits commands. This is the major danger, if the attacker had time and wanted to, they could upload more trojans to your machine.

    Its called a worm because it does self spread, to create more bots for the attacker to use (for flooding people usually). It spreads by NetBIOS shares if available, it scans IPs for SubSeven and Kuang2 infected machines and uploads itself if possible.

    There are many variants because it is open source - so some try to spread via DCOM vulnerabilities, weak ADMIN password protection on NT/2K/XP. Possibly other variants which look for IIS and other vulnerabilities too.
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    The most important thing is, there hasn't been a variant yet which is hard to remove -

    Kill process, delete file, delete registry startup(s)

    Doesn't get much easier :)
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,375
    Location:
    Netherlands
    Killing the process is a bit more complicated then normally, since it disables Windows' taskmanager. ;)

    Regards,

    Pieter
     
  5. Heath

    Heath Registered Member

    Joined:
    Aug 14, 2003
    Posts:
    60
    Location:
    Paris, Texas
    well, i looked at "symatec"'s site, (or however you spell it) and they told me to turn off system restore and scan with norton, so that's what i did, and norton didnt find anything, but last night, it just popped up out of nowhere and said that i have it, symatec's site said that you get it from kazaa, and i havnt had kazaa on this computer for months, so..., how do i get rid of it?
     
  6. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
  7. Heath

    Heath Registered Member

    Joined:
    Aug 14, 2003
    Posts:
    60
    Location:
    Paris, Texas
    ok, now this picture is popping up 2 times at once, and i have tried that site you gave me, gone through the regestry, turned off system restore and ran norton, and it says it cant find anything, WHAT SHOULD I DO!?!?!?!?!?
     

    Attached Files:

  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,962
    Location:
    New England
    Hi Heath,

    Well, can you use Windows Explorer to move to the file that is shown in the alert and delete it? (The OPEN_ME.EXE down in c:\Documents and Settings\Loretta\My Documents\o_O\OPEN_ME.EXE ??)

    Unfortunately, the file's location is truncated a bit, but it definitely is down in the My Documents area under the Loretta user account. If you have your XP system set to show all file types, you should be able to find and delete that file.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    How about following Gavin's advice?
    Killing the process: if taskmanager stopped then there is always something else to try it with - TDS, Faber Toys, PE, whatever - and if it would still be a problem there's DelLater to get rid of it if the scanners would still not delete it.
    Make sure there are no outbound connections (block it via PE or firewall for example) so it can't tell the whole mIRC world you have it and it can't come to update it's payload, etc.
    You might like to zip the thing if you find it on your system so it can't run anymore too and if TDS would not have alerted on it send it to Gavin submit@diamondcs.com.au for further specific advice.


    BTW: now you have system restore off, which also deleted all your former restore points.
    Once you deleted or zipped the file, maybe scanned another time to make sure you're clean, you might like to reboot - enable system restore - manually make a new restore point (please don't forget this!) - and you might like to test it if it's working ok so in case you do further experiments you have at least this last point to turn back to. And look what a next scan says from your system.
    You might like to try some online scanner too, like the www.ravantivirus.com (nice quick).
     
  10. Heath

    Heath Registered Member

    Joined:
    Aug 14, 2003
    Posts:
    60
    Location:
    Paris, Texas
    yeah, i looked through norton to the log, and got the exact file location, and i cant find it, it isnt there....
    are there any programs that would get rid of it, like there is for worms like win32.blast ..etc.?
     
Thread Status:
Not open for further replies.