W32.Spybot.Worm is a detection for a family of worms that spreads using KaZaA file sharing and mIRC. This worm can also spread to computers that are infected with common backdoor Trojan horses.
W32.Spybot.Worm can perform different backdoor-type functions by connecting to a configurable IRC server and joining a specific channel to listen for instructions. Newer variants may also spread by exploiting the following vulnerabilities:
The DCOM RPC Vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (described in Microsoft Security Bulletin MS04-011).
The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061) using UDP port 1434.
The WebDav Vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
The UPnP NOTIFY Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS01-059).
The Workstation Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445.
Windows XP users are protected against this vulnerability if the patch in Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply the patch in Microsoft Security Bulletin MS03-049.
Also Known As: Worm.P2P.SpyBot.gen [Kaspersky], W32/Spybot-Fam [Sophos], W32/Spybot.worm.gen [McAfee], WORM_SPYBOT.GEN [Trend], Win32.Spybot.gen [Computer Associates]
Type: Worm
Infection Length: various
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 3.x