Win32/Spymlex [Threat Name] go to Threat

Win32/Spymlex.B [Threat Variant Name]

Category worm
Size 30720 B
Detection created Nov 09, 2013
Detection database version 9026
Aliases Trojan.Win32.Agent.acgkz (Kaspersky)
  Trojan:Win32/Dynamer!dtc (Microsoft)
  Trojan.Dropper.VZL (BitDefender)
Short description

Win32/Spymlex.B is a worm that spreads via removable media.

Installation

When executed, the worm copies itself into the following location:

  • %alluserprofile%\­ctfmon.exe

The file is then executed.


The worm creates the following file:

  • %windir%\­winmm.dll (3584 B, Win32/Spymlex.B)

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
    • "SuperHidden" = 1
    • "ShowSuperHidden" = 0
    • "HideFileExt" = 1
Spreading on removable media

The worm copies itself into the root folders of removable drives with the filename based on the name of an existing file or folder.


The worm may create the following folders:

  • %removabledrive%\­RECYOLER\­
Other information

The worm can download and execute a file from the Internet.

Please enable Javascript to ensure correct displaying of this content and refresh this page.