Skip to main content
Microsoft Security Intelligence
Published Aug 25, 2008 | Updated Apr 16, 2011


Detected by Microsoft Defender Antivirus

Aliases: No associated aliases


Win32/Slenfbot is a worm that can spread via instant messaging programs, which may include MSN Messenger, Yahoo Messenger and Skype. It may also spread via removable drives or exploiting the MS06-040 vulnerability. This worm spreads automatically via shares, but must be ordered to spread via exploit or instant messaging by a remote attacker. The worm also contains backdoor functionality that allows unauthorized access to an affected machine.
Manual removal is not recommended for this threat. Use the Microsoft Malicious Software Removal Tool, Microsoft Security Essentials, Microsoft Safety Scanner, or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see
Disable Autorun functionality
Win32/Slenfbot attempts to spread via removable drives on computers that support Autorun functionality. This is a particularly common method of spreading for many current malware families. For information on disabling Autorun functionality, please see the following article:
Additional remediation instructions for Win32/Slenfbot
This threat may make lasting changes to a computer’s configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s: 
Restoring your System Registry:
Resetting System Security Settings to default:
Viewing hidden and/or system files:
Stopping and starting Windows services:
Enabling Task Manager:
Enabling System Restore:
Enabling Windows Firewall:
Enabling Windows Security Center/Action Center alerts:
Recreating a clean HOSTS file:
Follow us