|
|
Trojan.SpBot Trojan Information
| Name: |
Trojan.SpBot |
| Category: |
Trojan |
| Advice: |
Remove |
| Risk: |
Severe Risk
Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine. |
| Description:
|
Trojan.Spbot is a Trojan horse that allows a compromised computer to be used as an email relay. Computers compromised in this way are often used to relay spam.
Modifies the value:
"DoNotAllowXPSP2" = "1"
in the registry subkey:
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdate
to lower security settings.
Modifies the values:
"AntiVirusDisableNotify" = "1"
"FirewallDisableNotify" = "1"
"AntiVirusOverride" = "1"
"FirewallOverride" = "1"
"UpdatesDisableNotify" = "1"
in the registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center
to lower security settings.
Modifies the value:
"AUOptions" = "1"
in the registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto Update
to lower security settings.
Modifies the value:
"EnableFirewall" = "0x0"
in the registry subkeys:
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile
to disable the Microsoft firewall.
Modifies the value:
"Start" = "4"
in the registry subkey:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswscsvc
to disable the Microsoft Security Center.
Modifies the values:
"1001" = "1"
"1004" = "1"
"1200" = "0"
"1809" = "3"
in the registry subkeys:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsZones
to lower security settings.
Sends notifications of its status via the following URLs:
rsp.btthost.com/alive.php
rsp.btthost.com/inst.php
rsp.btthost.com/report.php
rsp.btthost.com/num.php
rsp.btthost.com/resend.php
rsp.btthost.com/task.php
Opens a back door on UDP port 256.
Works as an email relay for Spam.
Uses a randomly created sender address from one of the following domains:
@yyhmail.com
@wongfaye.com
@wartaponsel.com
@ultrapostman.com
@u2club.com
@tlcfan.com
@tenchiclub.com
@surfy.net
@southparkmail.com
@shaniastuff.com
@sammimail.com
@roxette.org
@rickymail.com
@ranmamail.com
@qdice.com
@purinmail.com
@otakumail.com
@norikomail.com
@nctta.org
@myfunnymail.com
@malaysia.net
@lovecat.com
@lopezclub.com
@lissamail.com
@leonlai.net
@kichimail.com
@kellychen.com
@jpopmail.com
@hingismartina.net
@grungecafe.com
@fffan.com
@dogmail.org
@chocofan.com
@celineclub.com
@britneyclub.com
@boyzoneclub.com
@badtzmail.com
@backstreetboysclub.com
@amuromail.com
@amuro.net
@amrer.net
@allsaintsfan.com
@aaronkwok.net
@168city.com
@zipolite.com
@zapopan.com
@veracruz-llave.com
@ustedopina.com
@universo.com
@tuxtla.com
@tlaxcala.com
@tepasasdeveras.com
@tegucigalpa.com
@tamaulipas.com
@surrealismo.com
@surfeador.com
@supersonicos.com
@superdirectorio.com
@sexxxo.com
@sanluis.com
@saladeprensa.com
@rotario.com
@regiomontano.com
@rdominicana.com
@radiomexico.com
@radioactivo.com
@quintanaroo.com
@queretaro.com
@puertorrico.com
@puebla.com
@programador.com
@postaldigital.com
@pormexico.com
@picanteperosabroso.com
@osopanda.com
@ondagrupera.com
@oficinadecorreo.com
@nuevoleon.com
@notimexico.com
@nayarit.com
@mundoanimal.com
@morelos.com
@michoacan.com
@mexxxico.com
@mejico.com
@m3xico.com
@lujuria.com
@lapalabra.com
@jerusalen.com
@islasmarias.com
@infantil.com
@ilusionista.com
@horafeliz.com
@guanajuato.com
@guadalupano.com
@grandesligas.com
@gobiernofederal.com
@garzagarcia.com
@futbolsoccer.com
@futbolamericano.c
|
| Type: |
Trojan - A Trojan software is any software on a user's computer that the user is not aware or intentionally installed. Most Trojan software is designed to perform some sort of actions that could jeopardize the user's security or privacy. |
Top Trojan Visited Pages:
Tro.Downloader.loadadv - 408 visits
Enable Regedit - 191 visits
Java.ClassLoader.Dummy.d - 182 visits
Trojan.BankerSpy - 176 visits
RBot.steam - 85 visits
Startup.NameShifter.Xgtray - 76 visits
Tro.Bagle.SP - 58 visits
Trojan.BHO.NameShifter.EZ - 54 visits
LRPatch Trojan - 54 visits
Tro.YourStartingPage - 53 visits
Random Trojan Pages:
Tro.CWS.Dialerz
Trojan.BHO.NameShifter.HD
Trojan.Startup.NameShifter.J
ServU 2.5b Broken Link Uploader
HTML.Internal.b
Trojan.BHO.NameShifter.FO
LE 1.5.1
Trojan.Startup.NameShifter.GE
QFat31 Trojan
Trojan.Startup.NameShifter.JD
|
|
