1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Spadenf Trojan Activity

System Infected: Spadenf Trojan Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects W32.Pilleuz HTTP activity.

Additional Information

When executed, the worm copies itself as the following file:
%SystemDrive%\RECYCLER\[SID]\sysdate.exe

It also creates the following file:
%SystemDrive%\RECYCLER\[SID]\Desktop.ini

Note: [SID] is a Security Identifier (SID) similar to the following example:
S-1-5-21-0741203276-5174745523-898393899-9038

It then creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Taskman" = "%SystemDrive%\RECYCLER\[SID]\sysdate.exe"

It then connects to one or more of the following network addresses:

* qwertasdfg.sinip.es
* butterfly.sinip.es
* bfisback.no-ip.org


The worm then opens a back door on the compromised computer that allows a remote attacker to perform the following actions:

* Access local files
* Download files, including updates to the worm
* Execute arbitrary commands
* Perform denial of service attacks
* Modify the hosts file
* Steal information from Web browsers, including cookies and saved passwords


The worm spreads by copying itself to removable drives as the following file:
%DriveLetter%\Resources\sEtuP64.exe

It also copies the following file so that it runs when the removable drives are connected to another computer:
%DriveLetter%\autorun.inf

The worm also attempts to spread by copying itself to the shared folders of the following file-sharing programs:

* Ares
* BearShare
* DC++
* eMule
* iMesh
* Kazaa
* LimeWire
* Shareaza


It also sends instant messages that contain links to copies of itself.

Affected

  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube