spybot.worm
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: spybot.worm

  1. #1
    Member
    Join Date
    Mar 2004
    Posts
    81

    spybot.worm

    Hey out there.

    I am being hit hard by this virus. I can't understand why it is even hitting me at all. All of the machines that are being hit have up to date NAV Pro, Windows 2000 pro fully updated.

    I did a scan for virus' in safe mode and none show up. I looked in the registery where norton's says that the virus should be and there are no entries. I ran Spybot and cleaned out what was found (nothing related to this that I could tell).

    I ran hijackthis and nothing looks out of the ordinary. I'm banging my head against the wall trying to figure out why (and where) this is coming from. Here is the hijackthis log (attachment). Any help is VERY appreciated. I have about 200 computers that are being hit by a 2-3 month old virus that should not be hitting me at all.

    thanks much for any help / advice.

    ~Halv

  2. #2
    http://www.antionline.com/attachment...achmentid=4913

    Thats a checklist you should run through, it will guide you through mutiple scans for all sorts of malware. You haven't said anything about adware scans, so that doc I linked will guide you through that. Once you are through that, let us know the results.

    Also~

    What are the names of ALL the scanning tools you currently have on your computer, including Antivirus...

    (reason I ask is because bogus scanners are becoming a problem)


    edit:

    C:\Program Files\TightVNC\WinVNC.exe
    Please, please, please tell me you installed that? Otherwise, you are seriously owned, and should format.
    edit:
    200 computers huh... I don't know what I would do... I would want to format all of them and start strong from scratch, but thats time consuming like none other.

  3. #3
    Member
    Join Date
    Mar 2004
    Posts
    81
    I have not tried adaware yet.

    I have NAV Pro and spybot 1.3 on all the systems. I am in the process of connection to them all via TightVNC and double checking that the AV / Windows updates / and spybot are all updated.

  4. #4
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    Just to add to Sodapops..comments..

    There are a ton of Adware scanning progs that use the Spybot name.. there is only One Spybot S&d and only one Adaware..

    you say your getting "Spybot.Worm" What program is telling you this?

    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  5. #5
    Member
    Join Date
    Mar 2004
    Posts
    81
    Nortons is identifying it as w32.spybot.worm

    I have ran nortons and no virus found. I ran trend house call and no virus found. I am running Mcafee now and awaiting results...

    still getting hit though. We are thinking this could be a new varity of that worm or a new thing that norton is identifying incorrectly.

    hopefully more to post here soon.

    ~Halv

  6. #6
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    We're being hammered hard here with SpyBot.worm... I was just gonna come here to post about it and I stumbled across this thread. We're seeing infections that are sending 30MB+ down the wire every hour simply in exploit attempts.... Our Residence is bogging down, the guys from our packet shaper said their impressed that the shaper is still running... The graphs are out of this world and pages are griding to the halt... We've also got it onto our College network now and it's spreading and hammering machiens through here.. In 3 hours I sniffed 3000 connections across 12 VLANs... absolutely horrid.. Nothing (other than HouseCall and The Cleaner are known to clean it yet)... Norton just get's access denied, AVG get's caught in an endless loop.. eTrust doesn't even notice it.. Since OuseCall requires network access (something we're not willing to do because of how fast this is spreading) and The Cleaner is only free for 30 days (makes it ugly to install and reinstall) we started looking for another solution.. I've written a batch file that does a pretty good job of cleaning up the mess the virus has created. The problem is that there are many variants.. some identified... some not.. so it's hard to catch them all.. My batch file is being used here and is having great success on cleaning machines... Afterwards we just patch them with The MS Sasser Patch (MS04-11 or something like that) and make sure that they've got the Rollup for Service Pack 1... Old patches, but we're finding machines in corners without them and tons of machines in res. without them.

    Anyways I thought I'd share the batch file.. it uses del, reg and pskill.exe pskill is included and referenced locally....

    Enjoy and Peace,
    HT


    [Edit]

    Sept 15 - 10:47PM EST: Added 1 additional file to kill and delete (JavaTM.exe).
    Sept 16 - 12:28AM EST: Added 2 additional files to kill and delelete (Cool.exe & ntsysmgr.exe) from thread -- http://www.antionline.com/showthread...hreadid=262065
    [/Edit]
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    ...and for those who dont have reg.exe on their computer:
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  8. #8
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Halv:

    I'm not trying to be mean here but this is a perfect example of why corporate networks and IMO, university networks, shouldn't allow access to mIRC or Kazaa. You wanna do that crap, do it on your time not mine..... The subsequent attack vectors it seems to be using are those that would be perfect for spreading it rapidly through networks that don't have adequate patching policies in place but are firewalled from the world. If you didn't let it in at the start then there wouldn't be this problem now.....

    It's time for us in the network security world to take our heads out of.... well, you know, and start to consider the possibilities of worms that may use one vector to enter but then any number of vectors after to insinuate themselves into the network.... It's called a blended threat and it is hardly new.... M$'s SUS server would have helped a lot. Blocking the (L)user's little "avenues of pleasure" would have helped too....

    <shaking head> I dunno, this all seems a little silly to me as I think about it more....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #9
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Originally posted here by Tiger Shark
    Halv:

    I'm not trying to be mean here but this is a perfect example of why corporate networks and IMO, university networks, shouldn't allow access to mIRC or Kazaa. You wanna do that crap, do it on your time not mine..... The subsequent attack vectors it seems to be using are those that would be perfect for spreading it rapidly through networks that don't have adequate patching policies in place but are firewalled from the world. If you didn't let it in at the start then there wouldn't be this problem now.....

    It's time for us in the network security world to take our heads out of.... well, you know, and start to consider the possibilities of worms that may use one vector to enter but then any number of vectors after to insinuate themselves into the network.... It's called a blended threat and it is hardly new.... M$'s SUS server would have helped a lot. Blocking the (L)user's little "avenues of pleasure" would have helped too....

    <shaking head> I dunno, this all seems a little silly to me as I think about it more....
    AMEN

    The thing that you have to consider now is that alot of these worms come with scanning and sniffing engines that understand multiple protocols (netbios for example). Once they are into a system with a certain set of privelages, they can be quite damaging to other systems because of the 'trust' between that now compromised system and the other systems on the domain (in the case of netbios). If you ever got some of these newer worms into an environment like this, the potential for devastation and continuing infection is extremely high and IMHO every step should be taken to minimize the avenues for entry (virus scanning email, disallowing stupid/dangerous protocols, etc).
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  10. #10
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    I agree completely that those shouldn't be allowed, but when you're dealing with a College the problem lies in that you have two networks... Your business network and also a student network... They get into one network and them someone plugging in in the wrong place spreads them across the networks... Also when you've got 800 residence students.. bad things happen...


    Anyways I just wanted to say that we're still finding more files that it's hiding under, so I've updated my batch file...

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •