Threat Descriptions

Trojan:W32/Spybot.JT

Classification

Category :

Malware

Type :

Trojan

Platform :

W32

Aliases :

Trojan:W32/Spybot.JT

Summary

Trojan:W32/Spybot.JT is distributed in a file named '7zs.sfx.exe'. Once executed, the malware creates files that run automatically each time the machine is started, takes screenshots and stores the captured images in a folder.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

When the '7zs.sfx.exe' file is launched, Trojan:W32/Spybot.JT installs itself on the machine so that its files automatically run at each system startup.

To do so, the malware first creates the following file:

  • %localsettings\Temp\7zS1.tmp\mshelp.exe

The main bulk of the malicious action is performed by the svchost.exe file, which is also created at this point. To make sure these files are run each time the computer is started, the malware modifies the registry by editing the following keys:

  • HKLM\SYSTEM\CurrentControlSet\Services\MWWPAS\Parameters
  • HKLM\System\CurrentControlSet\Services\MWWPAS\Security
  • HKLM\System\CurrentControlSet\Services\MWWPAS
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost

The following mutex objects are also created to prevent re-infection of an already infected machine:

  • My_Name
  • Global\pmaa
  • Global\rfcuzmumlnovmqmf

Once created, the 'mshelp.exe' file will create the following files:

  • \windows\system32\krnbavh.dp
  • \windows\system32\iumwwpas.dll
  • %temp%\kver34t.bat

It also uses the following files to support its later malicious actions:

  • %windir%\system32\attrib.exe
  • %windir%\system32\cmd.exe

The 'kver34t.bat' file then searches for and deletes the 'mshelp.exe' file. In order to do so, the 'kver34t.bat' file modifies the attributes of the 'mshelp.exe' file using the -a, -r, -s and -h attribute commands, which remove the archive, read-only, system and hidden permissions attributes; the file can then be deleted.

The svchost.exe process will create the following file:

  • \documents and settings\all users\drm\rastls\gifjzguqrgrje

While the malware is running on the infected machine, its main payload involves taking screenshots every few seconds continuously, which are saved at the following location:

  • %userprofile%\DRM\screen\SYSTEM\[filename based on infected machine's timestamp].jpg