Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Troj/Spybot-AW

Mar 4, 2004 1:17AM PST

Aliases
Backdoor.Spyboter.aw, W32/Spybot.worm.gen.a, Win32/Spyboter.AW, W32.Spybot.Worm, BKDR_SDBOT.GEN

Type
Trojan

Description
Troj/Spybot-AW is an IRC backdoor Trojan which runs in the background as a service process and allows unauthorised remote access to the computer over a network. The attacker may issue commands that instruct the Trojan to attempt to spread using the RPC DCOM vulnerability used by W32/Blaster-A or using the backdoor on machines infected with W32/MyDoom-A.
The Trojan copies itself to the Windows system folder as SVCHOST.EXE and another file with random name and adds to the following registry entries to run itself on system restart:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service

Troj/Spybot-AW then logs on to predefined IRC servers and waits for backdoor commands. The Trojan also terminates the following processes: REGEDIT.EXE, MSCONFIG.EXE, TASKMGR.EXE AND NETSTAT.EXE.

http://www.sophos.com/virusinfo/analyses/trojspybotaw.html

Discussion is locked