Spybot worm spreads via direct P2P file sharing

The worm, uncovered by companies including Panda Security, tricks users by appearing as a social network invitation or a response on a Google job application. Once installed, it directs results from searches on keywords such as ‘hotel’, ‘weather, or ‘airlines’ to pages that can contain malware.

Spybot.AKB spreads itself via email messages or direct peer-to-peer file sharing connections. One email purports to be a Twitter invitation from another user, containing a file that users must supposedly run to join the service. The P2P infection involves the worm copying itself and renaming itself with the filename of a popular application, such as VMware, or Norton Anti-Virus.

The worm installs itself as a Firefox extension. When the user chooses the Disable or Uninstall option, the extension is disabled or uninstalled, but the file that has installed it remains memory resident.

Spybot.AKB is also self-protecting. It will “take a series of actions to compromise the security level of infected computers, adding itself to Windows firewall list of authorized applications, and disabling the Windows error reporting service and the user access control,” according to Panda Labs. The anti-malware vendor said that the worm also disables the User Access Control feature found in Windows Vista and Windows 7.

What’s Hot on Infosecurity Magazine?