Description
Win32.Spybot is an open soure irc bot. Due to the open and modular manner in which the source for this bot is distributed, there are many slightly different variants of this bot in the wild. Most will allow a victim's machine to be controlled in some manner by a remote user via IRC (Internet Relay Chat), while others may have the ability to spread via P2P networks.
Apart from having standard backdoor functionality, such as the ability to:
- Gather configuration information about the local machine, including connection type, cpu speed and general information regarding the local drives.
- Install or delete files on the local machine.
- Perform other miscellaneous commands on the local machine.
Win32.Spybot may also be able to (depending on the variant):
- Spread via: KaZaA P2P networks, or by using backdoor programs, Kuang or Sub Seven
- Download files via the Internet
- Keylog (i.e. log keystrokes on the affected machine)
- Kill firewall or antivirus software processes to avoid detection
- Act as an HTTP server
Spybot installs itself via the registry by default by modifying the following keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
These 'Bots' are a popular tool for conducting a Distributed Denial of Service against a target, although they can also be used for a number of other illegitimate purposes, such as port scanning, spamming or flooding unsuspecting targets.
Analysis by Scott Molenkamp