W32/Spybot-OI is a worm and IRC backdoor Trojan for the Windows platform.
When run W32/Spybot-OI copies itself to <Windows>\ServiceLayer.exe and sets the following registry entry to run itself on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows Service Exec
ServiceLayer.exe
W32/Spybot-OI spreads via MSN Messenger.
W32/Spybot-OI includes functionality to:
- download code from a remote website
- disable security and firewall settings
- harvest information from the infected computer and store it to the file <Windows>\adminlogg.txt. This file can be safely deleted.