?
Solved

w32.Spybot.worm is still spreading

Posted on 2010-01-12
5
Medium Priority
?
485 Views
Last Modified: 2013-12-09
w32.Spybot.worm is still spreading on my network to machines that are patchedand uptoday virus defs. Anyone know if there is a new varient out there that is doing this?
0
Comment
Question by:lmangum
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 4

Expert Comment

by:Medianoche
ID: 26295211
Check your AV's version ( not the virus defs date ).
If it's too old It might not be able to remove completely the infection.

Also check this site for contermeasures!

Greetings!
0
 

Author Comment

by:lmangum
ID: 26295268
We have done oll of this and have Symantec Corp Edition at 10.1.6 or higher in all locations, which according to Symatec should be good. Also we are running a WSUS server in each location and have verified that the machines are getting the needed Windows patch.
0
 
LVL 4

Accepted Solution

by:
Medianoche earned 500 total points
ID: 26295486
I have a six thousand computer network using v10.1.5 and w32.spybot.worm was desinfected correctly ages ago.

Check all this vulnerabilites are fixed:

    * The DCOM RPC Vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
    * The LSASS vulnerability (described in Microsoft Security Bulletin MS04-011) using TCP ports 135, 139 or 445.
    * The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061) using UDP port 1434.
    * The WebDav Vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
    * The UPnP NOTIFY Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS01-059).
    * The Workstation Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if the patch in Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply the patch in Microsoft Security Bulletin MS03-049.
    * The Microsoft Windows SSL Library Denial of Service Vulnerability (described in Microsoft Security Bulletin MS04-011).
    * The VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability (as described here).
    * The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039).
    * The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS06-040).
    * Symantec Client Security and Symantec AntiVirus Elevation of privilege (as described in Symantec Advisory SYM06-010).
    * Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874)



There has been detected a few variations on w32.spyboot.worm but none has been able to survive that long.
It must be some focal point from where it's spreading, maybe a pc with a non-working AV. Check your Symantec Console for any ERROR on the deployed AVs. Also old OS's are easier to infect than new ones.. Is there any w2k on your network?

Greetings!
0
 
LVL 4

Expert Comment

by:Medianoche
ID: 26340511
Any update?

=)
0
 

Author Closing Comment

by:lmangum
ID: 31676214
Found multiple machines on the plant floor running 7.x and 8.x clients not reporting to the server and had not updated pattern files sinc 06.
0

Featured Post

Want to be a Web Developer? Get Certified Today!

Enroll in the Certified Web Development Professional course package to learn HTML, Javascript, and PHP. Build a solid foundation to work toward your dream job!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question