Spybot worm
Encyclopedia
The Spybot worm is a large family of computer worm
s of varying characteristics. Although the actual number of versions is unknown, it is estimated to be well into the thousands. This briefly held the record for most variants, but has subsequently been surpassed by the Agobot family.
family of worms. Most antivirus programs detect variants generically (e.g. W32/Spybot.worm), and identifying what specific Spybot variant is indicated is next to impossible except with the earliest or most common versions.
As a result of having so many variants, one antivirus company is often not able to recognize and remove all versions of the worm. The same applies to most antispyware software.
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
s of varying characteristics. Although the actual number of versions is unknown, it is estimated to be well into the thousands. This briefly held the record for most variants, but has subsequently been surpassed by the Agobot family.
Common features
Spybot variants generally have several things in common:- The ability to spread via the popular P2PPeer-to-peer file sharingP2P or Peer-to-peer file sharing allows users to download files such as music, movies, and games using a P2P software client that searches for other connected computers. The "peers" are computer systems connected to each other through internet. Thus, the only requirements for a computer to join...
program KaZaAKazaaKazaa Media Desktop started as a peer-to-peer file sharing application using the FastTrack protocol licensed by Joltid Ltd. and operated as Kazaa by Sharman Networks...
, often in addition to other such programs. - The ability to spread via at least vulnerability in the WindowsMicrosoft WindowsMicrosoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
operating system. Earlier versions mostly used the RPCRemote procedure callIn computer science, a remote procedure call is an inter-process communication that allows a computer program to cause a subroutine or procedure to execute in another address space without the programmer explicitly coding the details for this remote interaction...
DCOMDistributed component object modelDistributed Component Object Model is a proprietary Microsoft technology for communication among software components distributed across networked computers. DCOM, which originally was called "Network OLE", extends Microsoft's COM, and provides the communication substrate under Microsoft's COM+...
buffer overflow, although now some use the LSASSLocal Security Authority Subsystem ServiceLocal Security Authority Subsystem Service , is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens...
buffer overflow. - The ability to spread via various common backdoor Trojan horseTrojan horse (computing)A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
s. - The ability to spread to systems with weak administrative passwords.
Recognition
Because there is no standard of detection nor classification for the Spybot family, there is also no standard naming convention. Because of this lack of standard naming conventions and because of common features, variants of the Spybot worm can often be confused with the Agobot and IRCBotBackdoor.Win32.IRCBot
Backdoor.Win32.IRCBot is a backdoor computer worm that is spread through MSN Messenger and Windows Live Messenger...
family of worms. Most antivirus programs detect variants generically (e.g. W32/Spybot.worm), and identifying what specific Spybot variant is indicated is next to impossible except with the earliest or most common versions.
As a result of having so many variants, one antivirus company is often not able to recognize and remove all versions of the worm. The same applies to most antispyware software.