W32.Xabot.Worm

Printable View

August 19th, 2004, 01:42 PM
Leurgy

W32.Xabot.Worm

Clicked on a video clip and allowed WMP9 to access the net through ZoneAlarm 2.6. Never did see the video, but almost immediately got a ZoneAlarm Program Alert. All it says is "Do you want to allow to access the internet?'. That is not a typo, ZA is not saying what wants out. On the Alert, under Technical Information, its blank also. These alerts are not being recorded in the ZA Log either. Keep clicking no, and alert keeps coming back, even when I tell it to remember this answer. Ran AdAware SE and got nothing unusual. Ran Hijack this (latest version), nothing there either. Ran Spybot S&D (Ver 1.3) twice and got an alert about Xabot, and a German error message which follows:

Error during check!: Xabot (Ungültiger Datentyp für '').

An online German/English dictionary tells me the first word means invalid file access mode OR invalid file name OR invalid variable reference. The second word means data type and the third word means to find (found?).

Spybot hangs when I click Fixed Checked.

Running Kapersky Anti-Virus Ver 5.0. That has been running for an hour and a half and seems to be stuck on 31%. UPDATE: After two hours scan is at 67%.

Symantec tells me When W32.Xabot.Worm is executed, it does the following:Copies itself as %System%\wininit32.exe. Can find no instance of this file on my system. Looked around the registry for the changes Symantec talks about and they are not there either.

All this tells me that this Bot hasn't executed yet. Is there some way to get rid of this thing (I'm guessing its loaded in Memory (?) before I reboot or will I have to execute the d**m thing just to be done with it.

I'm behind a router. Will that help in this instance. This thing looks really nasty.
August 19th, 2004, 04:11 PM
Leurgy

Investigated a couple of spyware forums and found:

"Re: Error during check!
Xabot (Ungultiger Datentyp fur “)

"Ungültiger Datentyp für" is German for "Invalid data type for."

There is a bug in Spybot 1.3. It requires a program fix (not a detections update) to fix this. If this message is the reason that you think you have the “W32.Xabot.Worm” it is not a good indication."

Still, something is trying to access the internet.

My next move is to reboot and see what happens.
August 19th, 2004, 04:36 PM
jerryctx

Try the Spybot fix before you spend more time on the net access issue. The two problems are probably related.
August 19th, 2004, 05:51 PM
Leurgy

Thanx for the post jerryctx.

Rebooted and thus far everything seems to be ok. Now to find the Spybot fix.
August 19th, 2004, 08:31 PM
Leurgy

Turns out the "Error during check!: Xabot (Ungültiger Datentyp für '' warning when scanning with Spybot S&D is a known issue or a "False Positive". They call it the "Ungültiger Datentyp" bug in BHO list.

It occurs with versions prior to version 1.3.1 and there are further issues discussed here. You need to uninstall your previous version to update. Uninstall instructions can be found here., including a fix to remove registry entries.

That was an interesting experience but I don't think I want things like that to happen very often.:D