Spybot.worm... via Battlefield 1942?

[PaulBM]

We're looking into a w32.spybot.worm infection on a PC that was left here clean yesterday. The PC's are behind an adsl router and have Norton AV, which detected svhost.exe as having W32.Spybot.Worm today.

It appears that the only event that might have brought the worm in was Battlefield 1942 that was played on the XP PC on the local network last night. During that session, he was kicked off a Battlefield server, by Punkbuster for spamming. Which makes me think the spybot was busy.

I've read a little bit about Battlefield using IRC to various degrees for it's communucation. Is it possible that the worm could have been installed on his PC via IRC connections within Battlefield?

We did find his administrator password was weak.... well non existent.

 

[Chick]

If you have a public ip it is more than likely that the machien was just found by an auto-scanner chugging through subnets and throwing random (and indeed blank) passwords at teh Admin account in an attempt to compromise the machine.

Ohterwise, Hmmm

Runing / got a frewall?

 

[PaulBM]

Yeah, it's behind a Netgear ADSL Firewall Router, with no port forwarding. I did ask, but he doesn't host any games servers.

 

[Rochdale]

Is he in the DMZ on the router? I'd imagine he's have problems with games if he wasn't or didn't have lots of ports open.

 

[Chick]

er, you "should" be safe behind that, unless the router is b0rk. Do you know the ip address? Can scan it form here see if it is "open".

It sounds more like however a website based vulnerability, using some nasty IE hole to backdoor your machine. Check the cache for dodgy sites visited. Soem of themroe modern spoof attacks can sneak past NAV.

 

[Zed]

Spybot is typically transmitted over P2P networks not directly through IRC. It uses IRC as a comms channel for sending key log information.

I suspect the person in question has (or someone has) used the machine for a p2p download or two and inadvertantly picked up spybot. Unless its a brand new variant (there are well over 1000 variants of this now) which somehow transmits via irc.

So im betting money on Kazaa or the KAzaa network being the culprit. It could be a dodgy game or something that had the virus embedded in it.

 

[Aciiid]

Erm if you're talking about spybot the adware removal tool then it's probably a good idea to have it on your machine after downloading it. Adaware and spybot both search for slightly different things so running them both to detect advert and other trojans is a good idea.

If you didn't get it on your machine by installing it yourself though make sure someone else didn't.

If it's definately the virus then you have a real nasty one.

check out this for the network associates description..... Nasty keylogger + bits. They also are pointing the finger at filesharing programs like Kazzar etc... (these always have been dodgy pieces of software).

 

[PaulBM]

Thanks all. The PC has been collected, Worm free... for now.

I think Kazaa was probably the source of the Worm, it is installed on the target PC. He assures us that the file sharer has not been run for sometime, but the Worm in question is known to be passed via these file sharing programs.

As the Worm was a key stealer for many games, let's hope he doesn't get a 'your key is in use' message next time he runs Battlefield.

BTW, he's on BT Openworld, dynamic IP, as far as I know.

 

[Medivac]

sounds basic but do you have the ussual ada-ware , and spybot on yer pc >?

 

[wazula]

Defence In Depth

My experience is that you need as much security as you can get, for example 7 different Virus checkers will give 7 different results. Similar thing for Spyware I'm sure. So have as much as you can afford on the really sensitive machines.