W32.Spybot.Worm

profdlpprofdlp The Holy City Of Westlake, Ohio
edited July 2003 in Science & Tech
I got an alert from Norton AV telling me that I'm infected with the W32.Spybot.Worm virus, and that it could not be repaired/quarantined.

http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html

After I stopped cussing (and changed my pants), I ran a full system scan (latest definitions used - 07/02/03). It found no virus. Also, following Symantec's removal procedure there is no evidence in the registry (or elsewhere) of the virus.

Q. Is there anything else I should do, besides be vigilant?

Q. Is NAV known to give false reports?

One other note: Symantec says that W32.Spybot.Worm is of variable size, and modifies itself frequently.


Prof:rolleyes:

Comments

  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited July 2003
    sometimes these things can be really sucky.. I hate to say it, but you might want to consider reinstalling. Just to be sure.
  • SpinnerSpinner Birmingham, UK
    edited July 2003
    Have you checked your quarantined items to see if NAV actually managed to put a bubble around it?
  • profdlpprofdlp The Holy City Of Westlake, Ohio
    edited July 2003
    primesuspect said
    sometimes these things can be really sucky.. I hate to say it, but you might want to consider reinstalling. Just to be sure.

    It may well come to that. I have done a little more checking and it seems that there were a few false alarms regarding this one. On the other hand, some people got the NAV warning and ran several scans before they found it.

    This may be a dumb question, but can stuff in the registry be "hidden" so that you won't see it in regedit? The reason I ask is that none of the places where Symantec says it needs to be cleaned out from show anything at all.

    Spinner said
    Have you checked your quarantined items to see if NAV actually managed to put a bubble around it?

    Yes, checked it first thing. Totally empty.


    Prof:eek:
  • SpinnerSpinner Birmingham, UK
    edited July 2003
    When W32.Spybot.Worm is executed, it does the following:

    Copies itself to the System folder.

    Creates and shares a folder on the KaZaA file-sharing network, by adding the following registry value:

    "dir0"="012345:<configurable path>"

    to the registry key:

    HKEY_CURRENT_USER\SOFTWARE\KAZAA\LocalContent

    Adds a variable registry value to one or both of the following registry keys:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

    After reading through the Symantec brief you linked to. I think it's safe to sound the all clear. If the above quoted registry values which the virus creates are not present on your system, in all likely hood it was a false alarm.

    Nevertheless, I suggest you have a manual and thorough look through your system folder (with folder setting configured so you can see all files), I suggest you also erase all temp directorys and run some more individual folder by folder scans. Also try running some regcleaner programs, as they are quite good at detecting odd entries in the registry. Also if you use any peer to peer software, I suggest you double check that no extra shared folders have been created on your hard drive and that none of the files you are downloading or attempting to download are showing signs of being troublesome. If in doubt, scan then delete.

    I think though this time, you can hold off with the re-install.

    SPINNER
  • profdlpprofdlp The Holy City Of Westlake, Ohio
    edited July 2003
    Yeah, I'll definitely do that. I've already been through it manually, and with NBG regcleaner. I'm going to run NAV again when I finally hit the sack. This time I'm going to crank the heuristics up to the highest level, too.


    Prof
    (You're not paranoid if they really ARE out to get you...):p
  • EnverexEnverex Worcester, UK Icrontian
    edited July 2003
    It could have just been imbedded in a web page you were just viewing. The reason NAV will say it cant clean a file is because the file isnt infected with the virus, it simply IS the virus, so there is nothing to clean as there is nothing but the virus in the file.

    NS
  • profdlpprofdlp The Holy City Of Westlake, Ohio
    edited July 2003
    That could be it, Nightshade.

    I ran a second full system scan with the NAV heuristics cranked up to max. Came up clean again.

    One other thing which makes me think that I should be OK is that this virus was discovered several months ago and I am fanatical about keeping my definitions updated. I also scan several times a week and leave the auto-protect enabled. I think I'm just going to be extra careful for a while and keep close tabs on everything.


    Prof
Sign In or Register to comment.