MIRC virus W32.Spybot.Worm
voila ce que j'ai choppé sur Mirc par un enculé qui a tappé 1 ligne de commande et m'a filé ce virus non réparable par Norton Antivirus qui est vraiment pas terrible voir à chier
PS: j'ai sut le virer en cherchant sur des forums sur internet, il faut le désactiver le exe dans ctrl+alt+del processus en cours puis redémarrer f8 mode : derniere bonne config
voici le message sur le site de norton rubriques PATCH :
W32.Spybot.Worm is a detection for a family of worms that spreads using KaZaA file-sharing and mIRC. This worm can also spread to computers infected with common Backdoor Trojan Horses.
W32.Spybot.Worm can perform different backdoor-type functions by connecting to a configurable IRC server and joining a specific channel to listen for instructions.
Note: The October 8, 2003 virus definitions contain a modified W32.Spybot.Worm detection which accounts for a minor variation discovered on October 7, 2003.
Also Known As: Worm.P2P.SpyBot.gen [KAV], W32/Spybot-Fam [Sophos], W32/Spybot.worm.gen [McAfee], WORM_SPYBOT.GEN [Trend], Win32.Spybot.gen [CA]
Type: Worm
Infection Length: various
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
Virus Definitions (Intelligent Updater) *
April 16, 2003
Virus Definitions (LiveUpdate™) **
April 16, 2003
*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.
**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.
Wild:
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Easy
Removal: Moderate
Threat Metrics
Wild:
Medium
Damage:
Medium
Distribution:
Medium
Damage
Payload:
Releases confidential info: Sends personal data to an IRC channel.
Compromises security settings: Allows unauthorized commands to be executed on an infected machine.
Distribution
Shared drives: Spreads using the KaZaA file-sharing network, as well as spreading through mIRC.
When W32.Spybot.Worm is executed, it does the following:
Copies itself to the %System% folder.
NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates and shares a folder on the KaZaA file-sharing network, by adding the following registry value:
"dir0"="012345:<configurable path>"
to the registry key:
HKEY_CURRENT_USER\SOFTWARE\KAZAA\LocalContent
Copies itself to the configured path as filenames designed to trick other users into downloading and executing the worm.
Can be configured to perform a Denial of Service (DoS) on specified servers.
Can be configured to terminate security product processes
Connects to specified IRC servers and joins a channel to receive commands. One such command is to copy itself to many hard-coded Windows Startup Folders, such as:
Documents and Settings\All Users\Menu Start\Programma's\Opstarten
WINDOWS\All Users\Start Menu\Programs\StartUp
WINNT\Profiles\All Users\Start Menu\Programs\Startup
WINDOWS\Start Menu\Programs\Startup
Documenti e Impostazioni\All Users\Start Menu\Programs\Startup
Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup
Documents and Settings\All Users\Start Menu\Programs\Startup
NOTE: Symantec Security response has received reports of variants of this worm creating zero-byte files in the Startup folder. These files may have filenames such as "TFTP780" or "TFTP###", where # can be any number.
Adds a variable registry value to one or both of the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
May log keystrokes to a file in the System folder.
May send personal information, such as the Operating System, IP Address, User Name, and so on, to the IRC server.
voila ce que j'ai choppé sur Mirc par un enculé qui a tappé 1 ligne de commande et m'a filé ce virus non réparable par Norton Antivirus qui est vraiment pas terrible voir à chier
PS: j'ai sut le virer en cherchant sur des forums sur internet, il faut le désactiver le exe dans ctrl+alt+del processus en cours puis redémarrer f8 mode : derniere bonne config
voici le message sur le site de norton rubriques PATCH :
W32.Spybot.Worm is a detection for a family of worms that spreads using KaZaA file-sharing and mIRC. This worm can also spread to computers infected with common Backdoor Trojan Horses.
W32.Spybot.Worm can perform different backdoor-type functions by connecting to a configurable IRC server and joining a specific channel to listen for instructions.
Note: The October 8, 2003 virus definitions contain a modified W32.Spybot.Worm detection which accounts for a minor variation discovered on October 7, 2003.
Also Known As: Worm.P2P.SpyBot.gen [KAV], W32/Spybot-Fam [Sophos], W32/Spybot.worm.gen [McAfee], WORM_SPYBOT.GEN [Trend], Win32.Spybot.gen [CA]
Type: Worm
Infection Length: various
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
Virus Definitions (Intelligent Updater) *
April 16, 2003
Virus Definitions (LiveUpdate™) **
April 16, 2003
*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.
**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.
Wild:
Number of infections: More than 1000
Number of sites: More than 10
Geographical distribution: High
Threat containment: Easy
Removal: Moderate
Threat Metrics
Wild:
Medium
Damage:
Medium
Distribution:
Medium
Damage
Payload:
Releases confidential info: Sends personal data to an IRC channel.
Compromises security settings: Allows unauthorized commands to be executed on an infected machine.
Distribution
Shared drives: Spreads using the KaZaA file-sharing network, as well as spreading through mIRC.
When W32.Spybot.Worm is executed, it does the following:
Copies itself to the %System% folder.
NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates and shares a folder on the KaZaA file-sharing network, by adding the following registry value:
"dir0"="012345:<configurable path>"
to the registry key:
HKEY_CURRENT_USER\SOFTWARE\KAZAA\LocalContent
Copies itself to the configured path as filenames designed to trick other users into downloading and executing the worm.
Can be configured to perform a Denial of Service (DoS) on specified servers.
Can be configured to terminate security product processes
Connects to specified IRC servers and joins a channel to receive commands. One such command is to copy itself to many hard-coded Windows Startup Folders, such as:
Documents and Settings\All Users\Menu Start\Programma's\Opstarten
WINDOWS\All Users\Start Menu\Programs\StartUp
WINNT\Profiles\All Users\Start Menu\Programs\Startup
WINDOWS\Start Menu\Programs\Startup
Documenti e Impostazioni\All Users\Start Menu\Programs\Startup
Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup
Documents and Settings\All Users\Start Menu\Programs\Startup
NOTE: Symantec Security response has received reports of variants of this worm creating zero-byte files in the Startup folder. These files may have filenames such as "TFTP780" or "TFTP###", where # can be any number.
Adds a variable registry value to one or both of the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
May log keystrokes to a file in the System folder.
May send personal information, such as the Operating System, IP Address, User Name, and so on, to the IRC server.