Spybot is a worm that usually arrives on a computer through Peer-to-Peer file sharing, specifically through the Kazaa file sharing network. Its many variants sometimes have other ways of spreading. It has enough variants to go through the alphabet a few times and held a record for the number of variants until it was surpassed by an IRC bot named Gaobot. It is in no way related to the Spybot Search & Destroy program.

Behavior

Spybot infects a computer when a user downloads a Spybot file from the Kazaa network. As is often ascribed to Trojans, the file is disguised as a file that the user may want to download and run.

When Spybot is executed, it copies itself to the system folder as one of three possible names:

• Bling.exe
• Netwmon.exe
• Wuamgrd.exe

The worm modifies the following registry keys with values that will cause it to run when the computer is booted:

• the Local machine run key
• the Local machine run once key
• the Local machine run services key
• the Local machine shell extensions key
• the Current user run key
• the Current user run services key
• the Current user run once key
• the Current user OLE key

It adds the value "dir0 = 012345:[CONFIGURABLE PATH]" to the Kazaa share folders registry key, which creates a new Kazaa network share folder. It copies itself to this folder as a file name that other Kazaa users may want to download.

Spybot connects to an IRC channel and listens for commands from its creator or anyone who knows how to access it. The person in control of Spybot may perform the following actions:

• open a command shell on the compromised computer
• scan for more vulnerable computers
• download or upload files
• list and end running processes
• steal cached passwords
• start local HTTP, FTP, or TFTP servers
• search for files on the compromised computer
• capture screenshots, data from the clipboard, and footage from webcams
• visit websites
• flush the DNS and ARP caches
• intercept packets on the local network
• enable or disable DCOM settings
• restrict network access

It may also act as a keystroke logger when any window is opened with the following names:

• bank
• login
• e-bay
• ebay
• paypal

There are reports of Spybot leaving a file named TFTP*** (each asterisk is a random number) in the startup folder. This file is usually empty.

Effects

Spybot.ACYR was discovered to hav infected computers at two different universities. 30 computers at the University of Arkansas in the US and 150 computers at the University of New South Wales in Australia were infected. Administrators noticed an unusual amount of traffic through port 2967 for about two days.

Variants

Spybot has more variants than almost any other malware. It's number is believed to have been overtaken by Agobot. Some antivirus companies report enough variants to go through the alphabet enough times so that it requires four letters to write the variant name (eg. Spybot.ACYR). It exploited five patched MS Windows vulnerabilities and a six month old flaw in Symantec Antivirus.

The source code for Spybot is available online, contributing to its number of variants.

Name

The first detected variant of Spybot contains the text "spybotmgfhutexname SpyBot1.2" starting at 7470h, accounting for the worm's name. The worm is in no way related to the "Spybot Search & Destroy" program.

Many antivirus vendors found it impractical to detect each variant separately, so most use a generic detection such as p2p-worm/win32/spybot.worm rather than giving each variant a number or letter after the name.

Other Facts

The Kelvir instant message worm uses Spybot's trojan capabilities to determine the language of the victim and send a message to the victim in their language.

Sources

Douglas Knowles. Symantec Security Response, W32.Spybot.Worm.

Kaspersky Labs. SecureList, P2P-Worm.Win32.SpyBot.a.

Robert Lemos. The Register, "Bot spreads through antivirus, Windows flaws". 2006.11.29

John Leyden. The Register, Polyglot IM worm targets MSN. 2005.08.25