1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Spadenf Trojan Activity

System Infected: Spadenf Trojan Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.


This signature detects W32.Pilleuz HTTP activity.

Additional Information

When executed, the worm copies itself as the following file:

It also creates the following file:

Note: [SID] is a Security Identifier (SID) similar to the following example:

It then creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Taskman" = "%SystemDrive%\RECYCLER\[SID]\sysdate.exe"

It then connects to one or more of the following network addresses:

* qwertasdfg.sinip.es
* butterfly.sinip.es
* bfisback.no-ip.org

The worm then opens a back door on the compromised computer that allows a remote attacker to perform the following actions:

* Access local files
* Download files, including updates to the worm
* Execute arbitrary commands
* Perform denial of service attacks
* Modify the hosts file
* Steal information from Web browsers, including cookies and saved passwords

The worm spreads by copying itself to removable drives as the following file:

It also copies the following file so that it runs when the removable drives are connected to another computer:

The worm also attempts to spread by copying itself to the shared folders of the following file-sharing programs:

* Ares
* BearShare
* DC++
* eMule
* iMesh
* Kazaa
* LimeWire
* Shareaza

It also sends instant messages that contain links to copies of itself.


  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube