FRISK Software International


Summary of W32/Spybot
Risk Level: Low
Distribution:Low
Infection Method:Some W32/Spybot variants have internal function aimed at spreading through Peer-to-Peer networks, Kazaa in particular. The W32/Spybot has also been seen dropped by computer crackers after an successful attack against Microsoft Windows based systems, as a method to open up the system for further access. This pattern was seen with regards to manual and semi-automated attacks against systems vulnerable to the RPC DCOM buffer overrun vulnerability, as well as other attack vectors.
Payload: Compromises system security, by allowing un-authorized access and usage of the system.
 
Jump to:
Brief description
Technical description

Brief Description
The W32/Spybot is a worm with backdoor capabilities. There are multiple known variants of the W32/Spybot, although most of the have the following in common:

1)  Initialization routine:
   Consisting of copying itself to the system directory, either under a hard-coded or a random name. This file is marked with a hidden attribute. Creating the following registry keys to point to that copy:


1)   [HKEY_USERS\{Current_user_ID}\Software\Microsoft\Windows\CurrentVersion\Runonce]
     ["Winsock2 driver"="name_of_infected_file.EXE"]

2)   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
     ["Winsock2 driver"="name_of_infected_file.EXE"]


Some variants incorporate routines, aimed at spreading through Peer-to-peer networks. Usually consisting of the following:
  • Creating a directory under %system_dir% with the common name of \kazaabackupfiles, and placing a copy there under either a random name or a hard-coded one such as: "download_me.exe".
  • Creating or if present modifying the registry key commonly used by Kazaa to point to the folder that is shared with other users on the P2P network:
       [HKEY_USERS\S-1-5-21-1292428093-492894223-854245398-500\Software\KAZAA\LocalContent]    ["Dir0"="012345:%system_dir%\kazaabackupfiles\"]
This routine is not present in every variant of the W32/Spybot.

2)  Remote connection:
   The W32/Spybot usually attempts to connect to a remote IRC server, where it joins a predefined channel, and waits there listening for commands from a remote attacker(s). The IRC client within the W32/Spybot replies to various commands resulting in the attacker gaining full control over the compromised system, commands include for example:
  • Keylogging: Either sends captured keystroke directly to the attacker through IRC or by writing the to a logfile.
  • Primal monitoring of activity performed on the system, such as pop-up windows, text of those windows etc.
  • File uploading / downloading and execution of the uploaded files.
  • System information retrieval and display, including detailed information about the system itself, type of operating system, network-shares etc.
  • Systems password retrieval (function intended to work on Windows 9x systems)
  • DOS capabilities (TCP syn-packed flood)
  • Opening a web-server on the compromised system
  • Spawning a command-shell accessible to the attacker
  • Misc. actions, such as restart, opening the CD-rom drive etc.


Technical Description
The W32/Spybot is a standard Win32 application written in C++. It consists of a single PE executable, often compressed with various executable compressors, thus the size differs. In uncompressed format, the worm is usually around 45.000 bytes in size.

After the standard initialization routine, the worms runs a simple decryption routine on a pair of strings later used in the registry functions by the worm. Those two strings are:

1)  \SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
2)  \SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The decoding routine is a relatively straight forward, consisting of a simple character displacement, this routine is one of the identifying parts of the Spybot, as well as the constant size of the strings used (50 bytes and 46 bytes):

movzx eax, [counter]
add eax, ecx ; EAX = pointer to the current character
movsx edx, byte ptr [eax] ; EDX holds the character
sub edx, esi ; EDX subtracted by the 'key', a constant value used throughout the routine
mov [eax], dl ; Decoded character replaces the encoded one
add [counter], 1 ; Counter incremented
movzx eax, [counter] ; EAX = counter
cmp byte ptr [ecx+eax], 0 ; Comparison check, wether the routine has reached the end of the string
jnz short beginning_of_loop ; if not, continue decoding routine


The next step for the Spybot, is to determine the location from where it was executed. During this routine, the worm retrieves the system directory on the computer. If the worm isn't executed from the system directory, it will copy itself to that location either under a random name, generated by a function within the worms body or by using a hard-coded name. This file is later on marked with a hidden attribute.

Once the file has successfully been copied to the system directory, the worm creates couple of registry keys, to ensure that the worm is run on the next Windows startup. The strings it decoded previously are put to use during this routine. W32/Spybot creates two registry keys, the value "Winsock2 driver" is common, however not used in all the variants of W32/Spybot:

1)   [HKEY_USERS\{Current_user_ID}\Software\Microsoft\Windows\CurrentVersion\Runonce]
     ["Winsock2 driver"="name_of_infected_file.EXE"]

2)   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
     ["Winsock2 driver"="name_of_infected_file.EXE"]

If the worm wasn't executed from the system directory, the original process will execute the dropped copy and terminate itself, leaving the other one running in memory. Some spybot variants target place copies of themselves to other folders, including the 'Start Menu' folders located under different path names depending on the version of Windows present on the system. system.

Some variants incorporate routines, aimed at spreading through Peer-to-peer networks. Usually consisting of the following:
  • Creating a directory under %system_dir% with the common name of \kazaabackupfiles, and placing a copy there under either a random name or a hard-coded one such as: "download_me.exe".
  • Creating or if present modifying the registry key commonly used by Kazaa to point to the folder that is shared with other users on the P2P network:
       [HKEY_USERS\S-1-5-21-1292428093-492894223-854245398-500\Software\KAZAA\LocalContent]    ["Dir0"="012345:%system_dir%\kazaabackupfiles\"]
This routine is not present in every variant of the W32/Spybot.

The W32/Spybot checks the parameters its passed when executed. It compares the parameters to a predefined string 'mElT'. If that parameter is passed, it will try to inject itself to the Explorer.exe process memory space. However, this function is likely to fail on NT based systems.

To determine wether it's already memory resident, the worm creates a Mutex under different names depending on variants. If a Mutex under the same name is already present, the worm exits. This ensures that there is only one active copy of the worm running in memory at any given point in time.

The W32/Spybot tries to locate the 'RegisterServiceProcess' API function exported from kernel32.dll on Windows 9x systems. If that API is present, the worm registers itself as a service process. This hides the W32/Spybot process from appearing in the "Close Program" dialog on Windows 9x systems. It also locates the needed API functions it uses when monitoring running processes later on.

After initializing Winsock, which if fails results in the worm terminating itself, the worm sets up the needed environment for its thread-based execution, each thread serving its own purpose. The W32/Spybot normally has three threads constantly running, creating new ones as needed, the new ones are created mostly for the corresponding commands issued through the IRC part of the W32/Spybot. Amongst those threads are the two following:

1)   Process checking routine: This thread periodically takes snapshots of running processes and terminates them if they match the names of known processes hard-coded within the worms body. They might include various AV/Firewall processes, or internal Microsoft Windows tools, such as 'REGEDIT.EXE', 'MSCONFIG.EXE', 'TASKMGR.EXE', 'NETSTAT.EXE' etc.

2)   Registry routine: This thread is an isolated part from the original registry routine within the worms body. It's purpose is to periodically re-create the registry values previously added by the worm.

The W32/Spybot creates a new thread, which opens a socket on the infected system. Through this socket a connection attempt is made to a remote IRC server. Depending on the variants, the connection is either made after resolving a DNS name for that remote server, or by connecting directly to an IP address. If the outbound connection is successful, the worm joins a pre-defined channel using a key if needed and sits there listening for commands from the attacker(s). Usually the IRC client is marked invisible on the server, partially hiding it from other users on the network. The IRC client within the W32/Spybot replies to various commands resulting in the attacker gaining full control over the compromised system, commands include for example:
  • Keylogging: Either sends captured keystroke directly to the attacker through IRC or by writing the to a logfile.
  • Primal monitoring of activity performed on the system, such as pop-up windows, text of those windows etc.
  • File uploading / downloading and execution of the uploaded files.
  • System information retrieval and display, including detailed information about the system itself, type of operating system, network-shares etc.
  • Systems password retrieval (function intended to work on Windows 9x systems)
  • DOS capabilities (TCP syn-packed flood)
  • Opening a web-server on the compromised system
  • Spawning a command-shell accessible to the attacker
  • Misc. actions, such as restart, opening the CD-rom drive etc.


Analysis / Description: Sindri Bjarnason - Virus analyst FRISK Software International
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is