W32/Spybot-DN is a Windows worm that spreads via network shares with weak passwords.
While running in the background as a process or a service process, the worm also has a backdoor component that allows a remote intruder to gain access and control over the computer via IRC channels.
When run W32/Spybot-DN moves itself to %SYSTEM%\rundll.exe and creates the following registry entries so as to run itself on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
@
RUNDLL.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
@
RUNDLL.EXE
The worm attempts to terminate processes related to anti-virus and security programs.
When instructed by a remote attacker, W32/Spybot-DN attempts to perform the following functions:
run a remote shell
shutdown the computer
terminate processes
log keystrokes
download files from the internet and run them
list / delete / rename files
steal AOL instant messenger login info
steal CD keys
steal cached network share passwords
run HTTP server
redirect network traffic
scan network ports
launch Distributed Denial of Service (DDoS) attacks
The worm may take advantage of the vulnerabilities exploited by MyDoom, NetDevil, Sub7, and Kuang.