I am SICK of w32.spybot.worm

[news]

Whoever wrote w32.spybot.worm NEEDS some time in jail.

I get the infection every 1-2 wks and then remove it. It then comes back.

This time it was comctsvc.exe - every time the filename is new.

How do I stop further files being installed?

Is a router the answer?

Meanwhile can the Federal Bureau Investigation PLEASE arrest some people who
wrote the spybot pgm?

 

[Boss Hog]

[...]

How do I stop further files being installed?

Use a decent AV utility?

Is a router the answer?

No.

 

[news]

[...]

How do I stop further files being installed?

Use a decent AV utility?

Well I have NORTON which helps a lot. But I am really sick of this. I have a
lot of work in running my company, and I dont need pesky virus attacks. The
police need to start working.

 

[Art]

Whoever wrote w32.spybot.worm NEEDS some time in jail.

I get the infection every 1-2 wks and then remove it. It then comes back.

This time it was comctsvc.exe - every time the filename is new.

How do I stop further files being installed?

Is a router the answer?

You mean you aren't firewalled? If not, that's your problem.

Art

http://home.epix.net/~artnpeg

 

[Rick]

Whoever wrote w32.spybot.worm NEEDS some time in jail.

Perhaps, but the odds are in their favor that nothing will be done.

I get the infection every 1-2 wks and then remove it. It then comes
back.
[snip]

How do I stop further files being installed?

Is a router the answer?

30 seconds to do a search with Google for W32.Spybot.Worm came up with the
following info from Symantec:

-------------------------------------
W32.Spybot.Worm is a detection for a family of worms that spreads using
the Kazaa file-sharing network and mIRC. This worm can also spread to
computers that are compromised by common back door Trojan horses and on
network shares protected by weak passwords.

Newer variants may also spread by exploiting the following
vulnerabilities:

* The DCOM RPC Vulnerability (described in Microsoft Security Bulletin
MS03-026) using TCP port 135.
* The Microsoft Windows Local Security Authority Service Remote Buffer
Overflow (described in Microsoft Security Bulletin MS04-011).
* The vulnerabilities in the Microsoft SQL Server 2000 or MSDE 2000
audit (described in Microsoft Security Bulletin MS02-061) using UDP port
1434.
* The WebDav Vulnerability (described in Microsoft Security Bulletin
MS03-007) using TCP port 80.
* The UPnP NOTIFY Buffer Overflow Vulnerability (described in Microsoft
Security Bulletin MS01-059).
* The Workstation Service Buffer Overrun Vulnerability (described in
Microsoft Security Bulletin MS03-049) using TCP port 445. Windows XP users
are protected against this vulnerability if the patch in Microsoft Security
Bulletin MS03-043 has been applied. Windows 2000 users must apply the patch
in Microsoft Security Bulletin MS03-049.
* The Microsoft Windows SSL Library Denial of Service Vulnerability
(described in Microsoft Security Bulletin MS04-011).
* The VERITAS Backup Exec Agent Browser Remote Buffer Overflow
Vulnerability (as described here).
* The Microsoft Windows Plug and Play Buffer Overflow Vulnerability
(described in Microsoft Security Bulletin MS05-039).

-------------------------------------

I would suggest you install a firewall (or at the very least a router),
make sure your systems are all up to date with security related patches,
uninstall Kazaa and stop using mIRC. If that doesn't take care of the
problem, then I suggest you get someone who knows what they are doing to
come in and help you secure your network. You obviously don't know how to
do so. That's not meant as an insult, just an observation.

Meanwhile can the Federal Bureau Investigation PLEASE arrest some
people who wrote the spybot pgm?

Which wouldn't resolve your problem at all. In most cases, arresting the
original author(s) doesn't help much once the exploit code is out on the
net and making the rounds. There are usually plenty of others who then take
it and spread it further.

 

[Max Wachtel]

(e-mail address removed) AKA news on 12/26/2005 in

[...]

How do I stop further files being installed?

Use a decent AV utility?

Well I have NORTON which helps a lot. But I am really sick of this. I
have a lot of work in running my company, and I dont need pesky virus
attacks. The police need to start working.

No.

******************Reply Separator*************************

Sounds like you need to teach your employees "safe-hex". I have written
some pages to get you started (see my sig below).
max

**********************************************************
NEVER download files from anywhere unless it is from the website of the
developer,manufacturer or some entity you trust. The developers
websites ALWAYS have the most up to date files that haven't been
tampered with by some third party who is "hosting"(read Leeching or
Stealing) those files without permission.
--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
Keeping Windows Clean: http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help: http://home.neo.rr.com/manna4u/tools.html
Specific Fixes: http://home.neo.rr.com/manna4u/fixes.html
Forums for HiJackThis Logs:
http://home.neo.rr.com/manna4u/forums_for_hijackthis_logs.html
To reply by e-mail change nomail.afraid.org to gmail.com
nomail.afraid.org is setup specifically for use in USENET
feel free to use it yourself. Registered Linux User #393236

 

[David H. Lipman]

From: "news" <[email protected]>

| Whoever wrote w32.spybot.worm NEEDS some time in jail.
|
| I get the infection every 1-2 wks and then remove it. It then comes back.
|
| This time it was comctsvc.exe - every time the filename is new.
|
| How do I stop further files being installed?
|
| Is a router the answer?
|
| Meanwhile can the Federal Bureau Investigation PLEASE arrest some people who
| wrote the spybot pgm?
|

There are many infection vectors used by this worm. The *most* common are through network
protocols and taking advantag of an unprotected, unsecured and unpatched system.

You *must* install all OS Critical Updates.

You *must* use strong passwords and all accounts must use them.
{ 10 digits, 2 uppercase, 2 lowercase, 2 numbers and 2 special chars.}

You must use a FireWall. Either a software FireWall or even a NAT Router will help mitigate
its spread from the Internet to you. As always, I suggest blocking both TCP and UDP ports
135 ~ 139 and 445 on *any* SOHO Router.

 

[Virus Guy]

I get the infection every 1-2 wks and then remove it. It then
comes back.

That's what you get for running Windows XP. The most vulnerable piece
of crap to ever come from Macro$haft.

You would have been better off to be running Windows 98, use NetBeui
for internal network shares, and get a NAT router.

Your employees will not practice "safe hex". They will continue to
slack off, to use P2P software on their computers, to do what they can
to keep getting infected so that when their computer is down they can
take a break, go for a smoke, shoot the shit with other employees in
the coffee room, while you bust your butt trying to clean up their
computer.

This is microsoft's vision of the efficient, smooth-running modern
office. Yea right. An army of IT guys running around cleaning
computers.

Windows 98 with netbeui (and office 2000) was the answer 5 years ago,
and it's still the answer today. Yea, Internet Exploiter (any
version) is still a vulnerability, and so is Outlook and OE, and there
are alternatives to those.

If you're not running with a NAT router, then you're a moron. Any
NT-based OS is wide open for netbios attacks and penetrations. Above
and beyond that, it's what your employees are doing that is screwing
you.

 

[Offbreed]

Above
and beyond that, it's what your employees are doing that is screwing
you.

Or his kids, especially if he does not have broadband in his home.

 

[optikl]

Meanwhile can the Federal Bureau Investigation PLEASE arrest some people who
wrote the spybot pgm?

Where do you suggest they start looking?

 

[news]

Where do you suggest they start looking?

In their files.

 

[news]

That's what you get for running Windows XP. The most vulnerable piece
of crap to ever come from Macro$haft.

You would have been better off to be running Windows 98, use NetBeui
for internal network shares, and get a NAT router.

Your employees will not practice "safe hex". They will continue to
slack off, to use P2P software on their computers, to do what they can
to keep getting infected so that when their computer is down they can
take a break, go for a smoke, shoot the shit with other employees in
the coffee room, while you bust your butt trying to clean up their
computer.

This is microsoft's vision of the efficient, smooth-running modern
office. Yea right. An army of IT guys running around cleaning
computers.

Windows 98 with netbeui (and office 2000) was the answer 5 years ago,
and it's still the answer today. Yea, Internet Exploiter (any
version) is still a vulnerability, and so is Outlook and OE, and there
are alternatives to those.

If you're not running with a NAT router, then you're a moron.

I am not a "moron" I expect cops to arrest criminals. I dont carry a gun,
cops do that for me.
We have prisons for virus writers - they need to start using them.

 

[David H. Lipman]

From: "news" <[email protected]>


| I am not a "moron" I expect cops to arrest criminals. I dont carry a gun,
| cops do that for me.
| We have prisons for virus writers - they need to start using them.
|

Why do you think Microsoft has $100's of thousands of US dollors in reward money ?

Catching VX'ers is not an easy venture.

 

[Offbreed]

I am not a "moron" I expect cops to arrest criminals. I dont carry a gun,
cops do that for me.
We have prisons for virus writers - they need to start using them.

You need to consider exactly how much snooping the cops would have to do
in order to find the people responsible.

It would be sort of like letting the cops' boss keep your extra money so
it won't get stolen. The cops' boss in most cities is the Mayor.

Secure your property properly. No amount of legal action can make up for
the damage a criminal can do.

Why am I not surprised you threw in that comment about guns? Cops are
not everywhere. They cannot be. Some things you have to take care of
yourself.

 

[kurt wismer]

In their files.

wah wah wah... they need to *do* something... wah wah wah...

i think you'll find that in order for them to have anything in their
files they need to already know who the virus writers are - they
don't... there's no magic oracle that one can ask "who wrote this virus?"...

if you had a concrete suggestion to help them track the people down
instead of a whining plea maybe then it could be passed on to the
authorities...

 

[Virus Guy]

I am not a "moron" I expect cops to arrest criminals.

What cave have you been living in the past few years?

You, and your fellow UK citizens (like those in USA) have the
manufactured expectation to be protected against terror. Everything
else is secondary.

Viruses do not cause terror.

Until the battle, no, the war against terror is over, you'll have to
deal with viruses yourself.

Now do your part and keep a close watch on your fellow citizens and
report all suspicious behavior to the authorities.

 

[Bipolar Boogieman]

Whoever wrote w32.spybot.worm NEEDS some time in jail.

Correction! FIRST, they need their asses kicked... I'm talking about a
good, old fashioned "blanket party". Then, they need to sit in a county
jail in BFE somewhere and be "Bubba's baby" for a couple months. After
that, they need two fingers cut off of each hand and they can transfer to
a state pen for a year and be some gangsta's beeotch. Then, they should
do 30 years at Leavenworth breaking rocks, That all would be a *start*
for disciplining these pricks.

I get the infection every 1-2 wks and then remove it. It then comes
back.

My brother and (many of my friends) have been infected with this shit
NUMEROUS times and had to wipe his box and start over each time. It's
bullshit!

Is a router the answer?

Well, I have to wonder because I'm behind one and NONE of my boxes have
got it at all and my LAN is online via cable modem 24/7. My brother is on
dialup and keeps getting it.

Meanwhile can the Federal Bureau Investigation PLEASE arrest some
people who wrote the spybot pgm?

It would be nice to see, but I wouldn't hold my breath waiting for it..

 

[Hoosier Daddy]

Correction! FIRST, they need their asses kicked... I'm talking about a
good, old fashioned "blanket party". Then, they need to sit in a county
jail in BFE somewhere and be "Bubba's baby" for a couple months. After
that, they need two fingers cut off of each hand and they can transfer to
a state pen for a year and be some gangsta's beeotch. Then, they should
do 30 years at Leavenworth breaking rocks, That all would be a *start*
for disciplining these pricks.



My brother and (many of my friends) have been infected with this shit
NUMEROUS times and had to wipe his box and start over each time. It's
bullshit!



Well, I have to wonder because I'm behind one and NONE of my boxes have
got it at all and my LAN is online via cable modem 24/7. My brother is on
dialup and keeps getting it.



It would be nice to see, but I wouldn't hold my breath waiting for it..

Funny though that some of us never have a problem with it or any other
malware and your brother and your friends have had "numerous" run-
ins requiring box wiping. This says more about them than it does the
malware writer.

 

[Todd H.]

My brother and (many of my friends) have been infected with this shit
NUMEROUS times and had to wipe his box and start over each time. It's
bullshit!

It makes for a very compelling argument for Macs, because they don't
have these problems.

However, you're not alone. It is rather tricky to keep Windows
machines clean these days unless you're very careful about updates and
security, and pretty inured to social engineering attacks.

Well, I have to wonder because I'm behind one and NONE of my boxes have
got it at all and my LAN is online via cable modem 24/7. My brother is on
dialup and keeps getting it.

If you're on broadband and haven't shelled out $50 for a SPI firewall
router these day, yer nuts in my opinion. They're dead cheap.

Without one, if you are rebuilding your system from original media,
there is nothing preventing your machine from getting owned by a
network based exploit if you have it connected to the internet during
the rebuild. If you're on dialup, and have to download something
like service pack 2 in order to get your updates current, that gives
automated tools a long time to find your machine and own you before
your updates are in place. Survival time on the open internet for
an unpatched box is a whopping 13 minutes right now:
http://isc.sans.org/survivalhistory.php

Dialup users should definitely be running a software firewall of some
sort. If they have to rebuild, they should take their box to a
broadband connected house, reinstall from original media, and get
their updates frm behind a firewall (where all other machines are
temporarily disconnected to prevent getting owned over the LAN by your
buddies potentially infected computer).

Best Regards,