By Joris Evers
Staff Writer, CNET News.com
November 29, 2006
An updated variant of a malicious bot program is spreading via a flaw in
Symantec's antivirus software as well as through several holes in
The program, called "Spybot.ACYR" by Symantec and "Sdbot.worm!811a7027"
by McAfee, appears to be targeting educational institutions, according
to a blog item posted by Symantec Tuesday. "We are seeing a spike in
traffic on port 2967 with activity only in the .edu domain," the
security company said. "The impact of the attack is minimal thus far."
This Spybot variant attempts to break into computers through a
six-month-old vulnerability in Symantec Client Security and Symantec
AntiVirus. A fix has been available since May 25. "Customers who have
applied the patch in their environment are unaffected by the worm,"
Additionally, the bot program tries to exploit five flaws in Microsoft
Windows, the most recent of which was patched in August and affects
Windows file and printer sharing. The oldest Windows flaw of the five
dates back to 2004, according to Symantec's alert.
When installed on a PC, Spybot opens a back door in the system and
connects to an Internet Relay Chat server to let the remote attacker
control the compromised computer. Spybot first surfaced in 2003 and has
spawned many offshoots.
Bot software such as Spybot is the most prevalent threat to Windows PCs,
according to a recent Microsoft security report. More than 43,000 new
variants of such insidious programs were found in the first half of
2006, making it the most active category of malicious software,
A computer taken by such a bot is popularly referred to as a "zombie
PC." It can be used by miscreants as part of a network of bots, or
"botnet," to relay spam and launch cyberattacks. Additionally, hackers
often steal the victim's data and install spyware and adware on PCs, to
earn a kickback from the spyware or adware maker.
Subscribe to InfoSec News