Troj/Spybot-BZ

Aliases	Backdoor.SdBot.jb W32/Spybot.worm.gen.m virus
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Included in our products from	June 2004 (3.82)
Protection available since	6 May 2004 12:37:58 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing Trojans.

More Information

Summary
Action
More Information

Troj/Spybot-BZ is an IRC backdoor Trojan which runs in the background as a
service process and allows unauthorised remote access to the computer over a
network.

The Trojan copies itself to the Windows system folder as system32.exe or as a
random filename. The Trojan also adds the following registry keys to ensure it
starts on logon:

HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce\
System Terminal = SYSTEM2.EXE

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
System Terminal = SYSTEM2.EXE

Troj/Spybot-BZ then logs on to predefined IRC servers and waits for backdoor
commands. The Trojan also terminates the following processes:

REGEDIT.EXE
MSCONFIG.EXE
TASKMGR.EXE
NETSTAT.EXE.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

Troj/Spybot-BZ

Summary

Action

More Information