Worm.P2P.SpyBot
SpyBot is a peer-to-peer worm with backdoor capabilities that can also spread via computers infected with some Backdoor programs. The worm is a Windows PE EXE file that is written in Visual C++.
Installation
While installing itself the worm copies itself to the Windows system directory and sets the Hidden attribute for its copy. This file is then registered in the system registry in the following auto-run key entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
On Windows 9x machines the worm hides itself from the task list.
SpyBot also tries to kill some firewalls and antivirus programs.
Spreading
During the installation process, SpyBot copies itself to the kazaabackupfiles subdirectory in the Windows system directory and registers it as a subdirectory for Kazaa shared files.
Additionally, upon request by the worm's master (controller), the worm searches the Internet for hosts infected with the malicious programs Backdoor.Kuang and Backdoor.SubSeven and uploads itself to these hosts.
Backdoor
The backdoor routine allows a remote master (person or people controlling the worm's backdoor functions) to perform the following actions:
get detailed computer information including the names of the running processes
steal cached passwords in Windows 9x
download a file from a Web site
delete, rename, or execute a file
perform DoS attack on remote computer
scan ports and IP addresses
Other
The SpyBot worm can run a hidden HTTP server on infected machines.
It also establishes a keyboard spy (code that records all key strokes a
user makes on an infected machine) and, upon its master's request, sends
the log file of all keyboard actions to the master.
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5) THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
270503/100904
