The Spybot family is one of the popular and adaptable (i.e. easy to create new variants) malware attack programs circulating in-the-wild. The latest adaptation now includes the MS06-040 exploit along with the capability to download and install a rootkit.
Spybot - New Variant includes MS06-040 Exploit plus Rootkit http://vil.mcafeesecurity.com/vil/content/v_135336.htm Quote: The worm opens a backdoor at TCP port 443 and tries to connect to IRC server and waits for commands. One of the ways this worm can spread is by exploiting MS06-040 vulnerability. TCP port 443 is normally used for https protocol but this worm uses it for IRC. W32/Spybot.worm.gen.p is a worm that also drops a rootkit component to hide its files and processes. This rootkit component is detected as NTRootKit-J.
Actions that the worm may perform on receiving appropriate commands include:
* Enumerate active process and threads on infected computer
* Start, stop and hide processes and threads
* Modify Microsoft Internet Explorer's start page
* Open a local web server
* Port scan IP addresses in a specified subnet to identify possible targets for infection
* Open backdoor at a specified port
* Transfer files
* Spread via MIRC
* Update itself
* Restart infected machine
* Flush ARP and DNS caches
* Sniff network traffic
* Create, delete and try to spread via network shares
* Spread via AOL Instant Messenger
* Download files from a specified URL