Virus Profile: W32/Spybot.bfr!f

Threat Search
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 6/29/2012
Date Added: 6/29/2012
Origin: N/A
Length: Varies
Type: Virus
Subtype: Win32
DAT Required: 6757
Removal Instructions


This is virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


NOD32   -  Win32/Injector.Autoit.AG
Microsoft   -  TrojanDownloader:Win32/Dofoil.R
Norman   -  W32/Troj_Generic.DATZU
Symantec   -  Trojan.Smoaler

Indication of Infection

These symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

Methods of Infection

Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

Virus Characteristics

----------------------------Updated on 08 Oct 2012--------------------------------

Aliases –

  • Microsoft - Worm:Win32/Cridex.E
  • Ikarus  - Trojan-Spy.Win32.Zbot
  • Norman - W32/Suspicious_Gen4.BEQFA
  • Trend  - PAK_Generic.007

Upon execution the worm tries to connect below IP address through remote port 80

  • 92.242.[Removed].50
  • 207.182.[Removed].115
  • 188.40.[Removed].138
  • 91.194.[Removed].8
  • 156.154.[Removed].22
  • 41.168.[Removed].140
  • 102.76.[Removed].178
  • 26.56.[Removed].8
  • 158.144.[Removed].91
  • 98.42.[Removed].213
  • 115.144.[Removed]. 207
  • 155.41.[Removed].87
  • 138.0.[Removed].188
  • 22.70.[Removed].156
  • 140.5.[Removed]. 41

Captured Post Method:

POST /mx/5/A/in/ HTTP/1.1 Accept: */* User-Agent: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US) Host: Content-Length: 354 Connection: Keep-Alive Cache-Control: no-cache
...b.......)......|..!...../........ty..d.].U.YdD...'..]=.6n....ZPY.H7.oI........ .....z..l..|X....X....$.d...M..Q....|s...>h....I-..dF.....)W.y...I2l...s6.;.."9..0.;...G.E.#...A`..{E.........w:........:%n...QM.*....F.(-2P..z.....................T|......^.n......P.).m...3Y.w.......jA.C.[....].q.6.........?..\.....i...v..n.*.m.*. D,.^.U..O-.W..........HTTP/1.1 200 OK
Server: nginx/1.0.10 Date: Thu, 04 Oct 2012 10:51:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/5.3.17-1~dotdeb.0 Vary: Accept-Encoding

Upon execution worm copies itself to the below location

  • %Appdata%\KB01466137.exe
  • %Temp%\exp3A.tmp

The following registry keys have been added to the system:

HKEY_USERS\S-1-5-21-1708537768-606747145-725345543-500\Software\Microsoft\Windows NT\CC3814067
HKEY_USERS\S-1-5-21-1708537768-606747145-725345543-500\Software\Microsoft\Windows NT\S192265D1

The following registry key values have been added to the system:

HKEY_USERS\S-1-5-21-1708537768-606747145-725345543-500\Software\Microsoft\Windows NT\S192265D1\:[Binary data]

HKEY_USERS\S-1-5-21-1708537768-606747145-725345543-500\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\ProgramsCache: [Binary data]

HKEY_USERS\S-1-5-21-1708537768-606747145-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline: 0x00000000

The above registry ensures that the worm starts the Internet Explorer in online mode

HKEY_USERS\S-1-5-21-1708537768-606747145-725345543-500\Software\Microsoft\Windows\CurrentVersion\Run\KB01466137.exe: ""%AppData%\KB01466137.exe""

The above mentioned registry ensures that, the worm registers with the compromised system and execute itself upon every boot


W32/Spybot.bfr!f” is a detection for this virus, which may allows the attackers to get into and carry out dangerous actions in the infected computers.

Upon execution it injects malicious code into svchost.exe and tries to connect to the following URL and IP Address through remote port 80[HTTP]:

  • Gun[Removed]
  • Fur[Removed]
  • 65.54.[Removed].180
  • 37.221.[Removed].149

Upon execution it copies itself to the following location:

  • %Appdata%\FCAAE8.exe
  • %Temp%\ampere2.dat
  • %Temp%\aut148.tmp

The following are the registry keys have been added

The following are the registry values have been added to the system
HKU\S-1-5-[Varies]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\eMule: "%AppData%\FCAAE8.exe"

The above registry entry confirms that the virus executes every time when windows starts

The following are the API Commands confirm that the virus may send and receives files from the remote attacker to the compromised system 

  • WNetGetConnectionW
  • FtpOpenFileW


All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).


PC Infected? Get Expert Help

Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!