Your essential free software toolbox

SHARE
THIS ON

Trojan.Spambot.AZ

HIGH

LOW

variable

(Trojan.Spabot)

The presence of the following registry keys:

where %SOME_64_HEX_DIGITS% is a hex value containing 64 hex digits such as 4F403...27E and %SOME_PID% is a hex value such as 0x65c (1628).

Please let BitDefender delete the files that belong to this trojan.

Marius Botis, virus researcher

This is a trojan which:

wscsvc (Security Center service; a service that displays notifications about the firewall and antivirus software installed on the computer);
SharedAccess (Windows Firewall service);
kavsvc;
SAVScan;
Symantec Core LC;
navapsvc;
wuauserv (Auto Update Service).

deletes the registry keys that would allow Kaspersky AntiVirus to start after each reboot: Software\Microsoft\Windows\CurrentVersion\Run\KAVPersonal50;
continuously searches for notification windows displayed by various firewall applications and closes them. In this way, the trojan bypasses some security applications by telling them that the user allows this program to connect to various Internet addresses (the list of the firewalls that this trojan tries to trick is: ZoneAlarm, Outpost1, Outpost2, Outpost3, Sygate Personal Firewall Pro, WinRoute, McAfee Personal Firewall);
sends reports about its actions to a server having the IP 211.233.58.116;
self assigns the rights to bypass the firewall service provided by SharedAccess by adding itself to the following registry key: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ FirewallPolicy\StandardProfile\AuthorizedApplications\List
chooses randomly one of the following web domain and determines the mail (SMTP) server of that domain: