More Info on W32.Spybot.Worm

I've noticed several visitors are reaching this blog after searching for help with W32.Spybot.Worm. I am posting a few more knowledge gems with the hope that my experience can lessen the effect of this virus on other networks. Click here for my previous W32.Spybot.Worm blog entry.

We relied on a couple tools to gain an understanding of what W32.Spybot.Worm was doing on the network. The first tool is Autoruns from Sysinternals. Autoruns will search all relevant registry keys and startup folders for programs that are set to run at boot time. This is how we discovered that malicious files named WinUSB2 and bling.exe were executing at startup.

Another utility from Sysinternals that came in handy was PSKill (part of the PSTools Suite). This little command-line utility allowed us to kill the WinUSB2 and bling.exe processes on all infected workstations. We needed this tool because simply trying to end the task via Task Manager wouldn't work. PSKill can kill tasks on the local system, or it can be run across the network to kill processes on remote machines. We wrote a quick and dirty batch file which called PSKill to stop WinUSB2 and bling.exe. This helped ease network traffic, which had been overwhelming the edge router.

Machine Repair
We ended up using the updated Symantec AV definition files to let SAV repair the machines. However, if Symantec had taken any longer to get the defs uploaded (it took them almost 24 hours) we would have taken matters into our own hands. Possible options for removing the offending registry keys and files remotely would have been Kixtart, or maybe just WMI (since all desktops are 2000 or XP). I'm glad we didn't need to go down this path.