"Worm.P2P.Spybot" targeting Kazaa

Discussion in 'malware problems & news' started by psloss, May 24, 2003.

Thread Status:
Not open for further replies.
  1. psloss

    psloss Security Expert

    Joined:
    Dec 22, 2002
    Posts:
    102
    Location:
    San Diego, CA
    Just thought I'd pass this along; I starting picking up activity from this bot a couple of days ago, but didn't actually snag it until yesterday. Here's the DSLR thread I started:
    http://www.broadbandreports.com/forum/remark,6921859~root=security,1~mode=flat

    The program is probably spreading more via Kazaa but it can spread via open Windows file shares, too, which is how I am seeing it.

    Philip Sloss

    Added URL tags
     
  2. psloss

    psloss Security Expert

    Joined:
    Dec 22, 2002
    Posts:
    102
    Location:
    San Diego, CA
    Just as an "add," I've started a page on this thing here:
    http://www.lupwa.org/malware/KazaaSpyBot.html

    It's still incomplete and doesn't add any new facts; it has a few more details on when and how this variant was spotted...

    Philip Sloss
     
  3. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Philip,

    That's a very fine white paper - compliments ;).

    regards.

    paul
     
  4. xor

    xor Guest

    "Dir0
    SOFTWARE\KAZAA\LocalContent
    012345:%s"

    You see this only in a few samples :rolleyes:

    "Dir0
    SOFTWARE\KAZAA\LocalContent
    012345:"

    is in all :cool:

    xor
     
  5. psloss

    psloss Security Expert

    Joined:
    Dec 22, 2002
    Posts:
    102
    Location:
    San Diego, CA
    I only have the one file, copied about 25 times now in the last day or so (and about the same number of events prior to being able to receive the file). If any of the other variants are propagating via Windows file sharing (rather than Kazaa), then I'm just not seeing them where I am.

    As for "012345:%s" vs. "012345:", that's likely just a difference in approach to combining strings (the former being printf-style concatentation).

    What it probably means is that all variants spread via Kazaa, but the other functions vary.

    The McAfee write-up of the family describes several characteristics in the single variant I have. Here's a direct link:
    http://vil.mcafee.com/dispVirus.asp?virus_k=100282

    Philip Sloss
     
  6. psloss

    psloss Security Expert

    Joined:
    Dec 22, 2002
    Posts:
    102
    Location:
    San Diego, CA
    Just an update: there are at least three other variants that are scanning for open file shares on tcp/445...those were collected overnight...nothing significantly different in what these do, except the botnets are different (different server names, channels, etc).

    Philip Sloss
     
Loading...
Thread Status:
Not open for further replies.