Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 496
  • Last Modified:

w32.Spybot.worm is still spreading

w32.Spybot.worm is still spreading on my network to machines that are patchedand uptoday virus defs. Anyone know if there is a new varient out there that is doing this?
0
lmangum
Asked:
lmangum
  • 3
  • 2
1 Solution
 
MedianocheCommented:
Check your AV's version ( not the virus defs date ).
If it's too old It might not be able to remove completely the infection.

Also check this site for contermeasures!

Greetings!
0
 
lmangumAuthor Commented:
We have done oll of this and have Symantec Corp Edition at 10.1.6 or higher in all locations, which according to Symatec should be good. Also we are running a WSUS server in each location and have verified that the machines are getting the needed Windows patch.
0
 
MedianocheCommented:
I have a six thousand computer network using v10.1.5 and w32.spybot.worm was desinfected correctly ages ago.

Check all this vulnerabilites are fixed:

    * The DCOM RPC Vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
    * The LSASS vulnerability (described in Microsoft Security Bulletin MS04-011) using TCP ports 135, 139 or 445.
    * The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000 audit (described in Microsoft Security Bulletin MS02-061) using UDP port 1434.
    * The WebDav Vulnerability (described in Microsoft Security Bulletin MS03-007) using TCP port 80.
    * The UPnP NOTIFY Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS01-059).
    * The Workstation Service Buffer Overrun Vulnerability (described in Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users are protected against this vulnerability if the patch in Microsoft Security Bulletin MS03-043 has been applied. Windows 2000 users must apply the patch in Microsoft Security Bulletin MS03-049.
    * The Microsoft Windows SSL Library Denial of Service Vulnerability (described in Microsoft Security Bulletin MS04-011).
    * The VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability (as described here).
    * The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039).
    * The Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS06-040).
    * Symantec Client Security and Symantec AntiVirus Elevation of privilege (as described in Symantec Advisory SYM06-010).
    * Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874)



There has been detected a few variations on w32.spyboot.worm but none has been able to survive that long.
It must be some focal point from where it's spreading, maybe a pc with a non-working AV. Check your Symantec Console for any ERROR on the deployed AVs. Also old OS's are easier to infect than new ones.. Is there any w2k on your network?

Greetings!
0
 
MedianocheCommented:
Any update?

=)
0
 
lmangumAuthor Commented:
Found multiple machines on the plant floor running 7.x and 8.x clients not reporting to the server and had not updated pattern files sinc 06.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now