W32/Spybot-MH is a worm and IRC backdoor for the Windows platform.
W32/Spybot-MH runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels.
W32/Spybot-MH spreads using a variety of techniques including exploiting weak
passwords on computers and using backdoors opened by other worms or Trojans.
W32/Spybot-MH also attempts to copy itself to the startup folder of attached
network drives and can be used to record the keystrokes on the compromised
computer, effectively acting as a keylogger. This worm can also be used to
initiate SYNFlood attacks.
W32/Spybot-MH is a worm and IRC backdoor for the Windows platform.
W32/Spybot-MH runs continuously in the background, providing a backdoor server
which allows a remote intruder to gain access and control over the computer via
IRC channels.
W32/Spybot-MH spreads using a variety of techniques including exploiting weak
passwords on computers and using backdoors opened by other worms or Trojans.
W32/Spybot-MH also attempts to copy itself to the startup folder of attached
network drives and can be used to record the keystrokes on the compromised
computer, effectively acting as a keylogger. This worm can also be used to
initiate SYNFlood attacks.
W32/Spybot-MH attempts to continually terminate various programs, including the
following:
DUMP3-2INI.EXE
MMC.EXE
MSANTIV32.EXE
MSCONFIG.EXE
MSTASK.EXE
NAVAPW.EXE
NAVAPW32.EXE
NETSTAT.EXE
REGEDIT.EXE
TASKMAN.EXE
TASKMGR.EXE
TASKMON.EXE
The worm may attempt to steal passwords from the following programs/services:
AOL
Counter-Strike
Half-Life
Microsoft Windows
When first run W32/Spybot-MH copies itself to <System>\zanbor.exe.
The following registry entries are created to run zanbor.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Windows Config
ZANBOR.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Config
ZANBOR.EXE