Follow:

 

Win32/Spyboter


Microsoft security software detects and removes this threat.
 
Win32/Spyboter is a family of backdoor trojans that targets certain versions of Microsoft Windows.
 
The trojan injects code into explorer.exe and allows attackers to control the PC through an IRC channel. 


What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

When Win32/Spyboter runs, it may take the following actions:
  • Copy itself to a new file in the system folder and run the file. 
  • Exit and delete the original Trojan file.
  • Add a value to the following registry keys:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    These changes cause the Trojan to run each time Windows starts. Some Win32/Spyboter variants create a Windows service to attain similar results.
  • Terminate security-related services and processes.
  • Inject code into the explorer.exe process space and run the code.
  • Connect to an IRC server and joins a specific channel to receive commands from attackers. These commands instruct the Trojan to perform operations such as the following:
    • Drop copies of itself to Windows startup folders.
    • Drop copies of itself to the share folder of a file-sharing application.
    • Gather system information such as CPU speed, memory usage, Windows operating system,  connection type, IP address, and Windows logon information.
    • Add, modify, or delete registry keys.
    • Send e-mail to other attackers.
    • Conduct denial of service (DoS) attacks.
    • Download and run files.
    • Create and delete network shares.
    • Redirect connections.
    • Enable DCOM protocol.
    • Scan for computers with weak administrator passwords.
    • Scan a range of IP addresses on certain open ports.
    • Set up an HTTP proxy.
    • Set up a TFTP server or an HTTPd server.
    • Download files using FTP or HTTP and run the files.
    • Log keystrokes.
    • Gather CD keys of various games.
    • Gather Windows product keys.
    • Gather e-mail addresses.
    • List or terminate certain processes and services.  
    • Remove the worm.

Symptoms

Alerts from your security software might be the only symptom.


Prevention


Alert level: Severe
This entry was first published on: Jul 26, 2005
This entry was updated on: Jul 16, 2015

This threat is also detected as:
  • W32/Spybot.worm.gen (McAfee)
  • W32.Spybot.Worm (Symantec)
  • Backdoor.Spyboter (Symantec)
  • WORM_SPYBOT.GEN (Trend Micro)