AlphaOne Technology Support Forums
Welcome, Guest. Please login or register.
January 08, 2009, 08:10:00 PM

Login with username, password and session length
Search:     Advanced search
1733 Posts in 827 Topics by 5356 Members
Latest Member: Gagabaksik
* Home Help Search Login Register
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: W32.Spybot.UOL 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: W32.Spybot.UOL  (Read 444 times)
TJ
Tech Team
Hero Member
********
Offline Offline

Posts: 136



View Profile
W32.Spybot.UOL
« on: August 24, 2005, 08:21:49 PM »
W32.Spybot.UOL is a worm that has distributed denial of service and back door capabilities. The worm spreads by exploiting vulnerabilities, including the Microsoft Windows Plug and Play Buffer Overflow Vulnerability

When executed, W32.Spybot.UOL performs the following actions:

   1. Copies itself as %System%\qsecue.exe

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   2. Adds the value:

      "Quantifier Security" = "qsecue.exe"

      to the registry subkeys:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      RunServices
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE

      so that it runs every time Windows starts.

   3. Adds the value:

      "EnableDCom" = "N"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE

   4. Adds the value:

      "restrictanonymous" = "1"

      to the registry subkey:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa

   5. Opens a back door by connecting to an IRC channel through TCP port 6060 on the dr2.pr1v.info domain.

   6. Listens for commands that allow the remote attacker to perform the following actions:

          * Download and execute files
          * List, stop, and start processes and threads
          * Launch ACK, SYN, UDP, and ICMP Denial of Service attacks
          * Perform port redirection
          * Send files over IRC
          * Start a local FTP server
          * Scan the network for vulnerable computers by means of port scanning
          * Flush the DNS and ARP caches
          * Open a command shell on the compromised computer
          * Restart the compromised computer
          * Gather system information
          * Sniff network traffic
          * Steal CD Keys of installed software
          * Log keystrokes

   7. Scans for computers on TCP ports 139 and 445 and tries to exploit the following vulnerabilities:

          * The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-026).
          * The Microsoft Windows Local Security Authority Service Remote Buffer Overflow (as described in Microsoft Security Bulletin MS04-011)
          * The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039)


REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.uol.html

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
      RunServices
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE

   5. In the right pane, delete the value:

      "Quantifier Security" = "qsecue.exe"

   6. Exit the Registry Editor.
Logged
Pages: [1] Go Up Print 
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Virus Alerts  |  Topic: W32.Spybot.UOL « previous next »
Jump to:  

Powered by MySQL Powered by PHP AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!