W32.Spybot.ANDM
W32.Spybot.ANDMDiscovered: January 3, 2007
Updated: February 13, 2007 1:03:06 PM
Type: Worm
Infection Length: 168,960 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Spybot.ANDM is executed, it performs the following actions:
Copies itself as any of the following files:
%System%\wnuserv.exe
%System%\ctfmom.exe
%System%\napi32.exe
%System%\soundman.exe
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates a temporary batch file named c:\a.bat, which in turn creates a registry file in the temporary folder named 1.reg.
Adds the values:
"Windows System Service" = "wnuserv.exe"
"Windows System Service" = "wnuserv.exe"
"Windows Update Firewall System" = "ctfmom.exe"
"Windows Update Firewall System" = "ctfmom.exe"
"Windows Logon Service" = "napi32.exe"
"Windows Logon Service" = "napi32.exe"
"Microsoft Sounds" = "soundman.exe"
"Microsoft Sounds" = "soundman.exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
so that it runs every time Windows starts.
Adds the value:
"Windows System Service" = "wnuserv.exe"
to the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\OLE\Windows
Modifies the value:
"TransportBindName" = ""
in the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Modifies the value:
"Start" = "4"
in the registry subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc
Modifies the values:
"EnableDCOM" = "N"
"EnableRemoteConnect" = "N"
in the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
Modifies the value:
"restrictanonymous" = "1"
in the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
to prevent NULL session enumeration of the host.
Modifies the value:
"Enabled" = "0"
in the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT1.0\Server
Modifies the values:
"AutoShareWks" = "0"
"AutoShareServer" = "0"
in the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters
Modifies the values:
"NameServer" = ""
"ForwardBroadcasts" = "0"
"IPEnableRouter" = "0"
"Domain" = ""
"SearchList" = ""
"UseDomainNameDevolution" = "1"
"EnableICMPRedirect" = "0"
"DeadGWDetectDefault" = "1"
"DontAddDefaultGatewayDefault" = "0"
"EnableSecurityFilters" = "1"
"AllowUnqualifiedQuery" = "0"
"PrioritizeRecordData" = "1"
"TCP1320Opts" = "3"
"KeepAliveTime" = "23280"
"BcastQueryTimeout" = "002ee"
"BcastNameQueryCount" = "1"
"CacheTimeout" = "0ea60"
"Size/Small/Medium/Large" = "3"
"LargeBufferSize" = "01000"
"SynAckProtect" = "2"
"PerformRouterDiscovery" = "0"
"EnablePMTUBHDetect" = "0"
"FastSendDatagramThreshold " = "400"
"StandardAddressLength " = "18"
"DefaultReceiveWindow " = "4000"
"DefaultSendWindow" = "4000"
"BufferMultiplier" = "200"
"PriorityBoost" = "2"
"IrpStackSize" = "4"
"IgnorePushBitOnReceives" = "0"
"DisableAddressSharing" = "0"
"AllowUserRawAccess" = "0"
"DisableRawSecurity" = "0"
"DynamicBacklogGrowthDelta" = "32"
"FastCopyReceiveThreshold" = "400"
"LargeBufferListDepth" = "a"
"MaxActiveTransmitFileCount" = "2"
"MaxFastTransmit" = "40"
"OverheadChargeGranularity" = "1"
"SmallBufferListDepth" = "20"
"SmallerBufferSize" = "80"
"TransmitWorker" = "20"
"DNSQueryTimeouts" = "31,00,00,00,32,00,00,00,32,00,00,00,34,00,00,00,38,00,00,00,30,00,00,00,00,00"
"DefaultRegistrationTTL" = "14"
"DisableReplaceAddressesInConflicts" = "0"
"DisableReverseAddressRegistrations" = "1"
"UpdateSecurityLevel " = "0"
"DisjointNameSpace" = "1"
"QueryIpMatching" = "0"
"NoNameReleaseOnDemand" = "1"
"EnableDeadGWDetect" = "0"
"EnableFastRouteLookup" = "1"
"MaxFreeTcbs" = "7d0"
"MaxHashTableSize" = "800"
"SackOpts" = "1"
"Tcp1323Opts" = "3
"TcpMaxDupAcks" = "1"
"TcpRecvSegmentSize" = "585"
"TcpSendSegmentSize" = "585"
"TcpWindowSize" = "7d200"
"DefaultTTL" = "30"
"TcpMaxHalfOpen" = "4b"
"TcpMaxHalfOpenRetried" = "50"
"TcpTimedWaitDelay" = "0"
"MaxNormLookupMemory" = "30d40"
"FFPControlFlags" = "1"
"FFPFastForwardingCacheSize" = "30d40"
"MaxForwardBufferMemory" = "19df7"
"MaxFreeTWTcbs" = "7d0"
"GlobalMaxTcpWindowSize" = "7d200"
"EnablePMTUDiscovery" = "1"
"ForwardBufferMemory" = "19df7"
in the registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Modifies the values:
"MaxConnectionsPer1_0Server" = "50"
"MaxConnectionsPerServer" = "50"
in the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Starts to log keystrokes whenever the user attempts to access sites that contain the following strings:
e-gold
PayPal
StormPay
Vodafone
Poste Italiane
eBay
Yahoo!
Banca Sella
Bank of America
exploit
Benvenuto a gmail
Msn
pagamento paga
Opens a back door and connects to an IRC server at any of the following hosts:
baba.bestunix.org
server.cisco-systems.jp
pepe83.rr.nu
pepe84.rr.nu
pepe85.rr.nu
The attacker may perform the following actions on the compromised computer:
Copy or delete files
Upload and download files
Steal CD keys from various games
Log keystrokes and capture webcam
Show status
Show IP address
Portscan the network for vulnerable computers
Scan vulnerabilities
Start ftp and tftp
Start Internet Explorer
End processes
Stop other worms
Stop security-related services
List processes
Use a network sniffer
Spreads by exploiting the following vulnerabilities:
The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).
The Microsoft ASN.1 Library Multiple Stack-Based Buffer Overflow vulnerabilities (as described in Microsoft Security Bulletin MS04-007).
The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011).
The RealVNC Remote Authentication Bypass Vulnerability (as described in CVE-2006-2369).
Symantec Client Security and Symantec AntiVirus Elevation of Privilege (as described in Symantec Advisory SYM06-010).
The Microsoft SQL Server 2000 or MSDE 2000 audit (as described in Microsoft Security Bulletin MS02-061) using UDP port 1433.
Attempts to spread through mIRC and to network shares protected by weak passwords.
This worm attempts to exploit a previously addressed vulnerability in Symantec Client Security and Symantec Antivirus, SYM06-010; patches for the particular Symantec product vulnerability have been available since Thursday, May 25th, 2006. As a result, customers who have applied the patch in their environment are unaffected by the worm's attempt to leverage the Symantec vulnerability for an attack. Customers running Symantec Client Security or Symantec intrusion prevention (IPS) capable products are protected against all known and unknown exploits of SYM06-010 via IPS signatures released on May 26th, 2006.
Labels: Anti-Virus, Microsoft, Worm