You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Spybot.AKB

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Spybot.AKB carries out the following actions:

  • It reaches the computer in a file with the following icon (the name of the file can be different):

    Icon of Spybot.AKB
  • Once run, it drops a file which installs an extension for Firefox and Chrome browsers, as can be seen in the image below:

    Extension installed on the browsers
  • In spite of choosing the Disable (Desactivar) or Uninstall (Desinstalar) option, the extension is disabled or uninstalled, but the file that has installed it remain memory resident.
  • This extension is used to redirect certain seraches carries out by the user to websites that can contain malware.
  • When users do searches that contain any of the following text strings, the extension is activated and starts redirecting to other websites:
    A: Airlines, Amazon,Antivir, Antivirus.

    B: Baseball, Books.

    C: Casino, Chrome, Cialis, Cigarettes, Comcast, Craigslist, Credit.

    D: Dating, Design, Doctor.

    E: Explorer

    F: Fashion, Finance, Firefox, Flifhts, Flower, Football

    G: Gambling, Gifts, Graphic.

    H: Health, Hotel.

    I: Insurance, Iphone.

    L: Loans.

    M: Medical, Military, Mobile, Money, Mortgage, Movie, Music, Myspace.

    O: Opera.

    P: Pharma, Pocker.

    S: School, Software, Sport, Spybot, Spyware.

    T: Trading, Tramadol, Travel, Twitter.

    V: Verizon, Video, Virus, Vocations.

    W: Wallpaper, Weather.
  • For example, if users do a search that contain the word "Antivirus" or "Virus", it attempts to connect to a website like the following whose address contain the keyword entered by the users:
    http://searchnx.com/se.php?pop=1&aid=YmxhY<blocked>D8&sid=1912146&key=antivirus
    http://searchnx.com/se.php?pop=1&aid=YmxhY    <blocked>D8&sid=19121941&key=virus
  • These addresses are no longer available: therefore users are not redirected to any malicious website, but to the legitimate website of the Bing searcher.
  • The real purpose was to redirect users to malicious websites from which more malware would be downloaded.

 

On the other hand, Spybot.AKB carries out other actions to reduce the security level of the computer:

  • It adds itself to the list of authorized applications by the Windows firewall in order to bypass it.
  • It disables the Windows error reporting service.
  • It disables the User Access Control service (UAC). It is a service which, on Windows 7/Vista computers, informs users of any program that attempts to be run or access the computer.

Infection strategy 

Spybot.AKB creates the following files in the Windows system directory:

  • GOOGLEUPDATES.EXE, which is a copy of the worm.
  • GNOTE.EXE.

 

Spybot.AKB creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    Google Update3 = %sysdir%\GoogleUpdates.exe
    where %sysdir% is the Windows system directory.
    By creating this entry, Spybot.AKB ensures that it is run whenever Windows is started.
  • HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\ List
    %sysdir%\GoogleUpdates.exe = %sysdir%\GoogleUpdates.exe:*:Enabled:Explorer
    By creating this entry, Spybot.AKB adds itself to the list of authorized programs by the Windows firewall.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    EnableLUA = 00, 00, 00, 00
    It disables the User Access Control (UAC).
    It is a Windows 7/Vista feature that warns users of any program that attempts to be run or access the computer.
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc
    DeleteFlag = 01, 00, 00, 00
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc
    FailureActions = 0A, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 54, 00, 41, 00, 00, 00, 00, 00, B8, 0B, 00, 00
    By creating these two entries, it disables the Windows error reporting service.
  • HKEY_CURRENT_USER\Software\Microsoft\Google3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Google3
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    google5 = 02
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    google6 = 10

 

Spybot.AKB modifies the following entry from the Windows Registry so that the Windows error reporting error is not automatically run:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc
    Start = 02, 00, 00, 00
    It changes this entry to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ERSvc
    Start = 04, 00, 00, 00

Means of transmission 

Spybot.AKB uses several means to spread itself in order to infect as many computers as possible.

Spybot.AKB spreads via email messages and P2P programs.

1.- Email messages

It reaches the computer in an email message that seems to be an invitation to Twitter sent by some friend. The message contains the Twitter logo and several links that point to the real Twitter website.

However, in order to accept the invitation or know who has sent it, the attached file has to be run. This file contains a copy of the worm, so if it is run, the computer will be affected by Spybot.AKB.

The email message used to distribute the worm is like the following:

Email message in which Spybot.AKB is distributed


If the attached file called INVITATION CARD.ZIP is decompressed, users will see that i contains a file that seems to be an image, as it has a JPG extension. However, after several blank spaces the EXE extensions can be seen:

Attached file once decompressed

 

2.- P2P programs

In order to do so, it follows the routine below:

  • The worm creates copies of itself in the shared folders of the following P2P programs:
    eMule
    LimeWire
    Morpheus
    Tesla
    Winmx
    eDonkey
    Bearshare
    Grokster
    Icq
    Kazaa
  • It uses the following names, passing itself off as interesting applications:
    Absolute Video Converter 6.2.exe
    Ad-aware 2010.exe
    Adobe Acrobat Reader keygen.exe
    Adobe Illustrator CS4 crack.exe
    Adobe Photoshop CS4 crack.exe
    Alcohol 120 v1.9.7.exe
    Anti-Porn v13.5.12.29.exe
    AnyDVD HD v.6.3.1.8 Beta incl crack.exe
    AOL Instant Messenger (AIM) Hacker.exe
    AOL Password Cracker.exe
    Ashampoo Snap 3.02.exe
    Avast 4.8 Professional.exe
    BitDefender AntiVirus 2010 Keygen.exe
    Blaze DVD Player Pro v6.52.exe
    Brutus FTP Cracker.exe
    CleanMyPC Registry Cleaner v6.02.exe
    Counter-Strike KeyGen.exe
    Daemon Tools Pro 4.11.exe
    DCOM Exploit.exe
    DivX 5.0 Pro KeyGen.exe
    Divx Pro 7 + keymaker.exe
    Download Accelerator Plus v9.exe
    Download Boost 2.0.exe
    DVD Tools Nero 10.5.6.0.exe
    FTP Cracker.exe
    G-Force Platinum v3.7.5.exe
    Google SketchUp 7.1 Pro.exe
    GoogleUpdates.exe
    Grand Theft Auto IV (Offline Activation).exe
    Half-Life 2 Downloader.exe
    Hotmail Cracker.exe
    Hotmail Hacker.exe
    ICQ Hacker.exe
    Image Size Reducer Pro v1.0.1.exe
    Internet Download Manager V5.exe
    IP Nuker.exe
    Kaspersky AntiVirus 2010 crack.exe
    Kaspersky Internet Security 2010 keygen.exe
    Keylogger.exe
    K-Lite Mega Codec v5.5.1.exe
    K-Lite Mega Codec v5.6.1 Portable.exe
    L0pht 4.0 Windows Password Cracker.exe
    LimeWire Pro v4.18.3.exe
    Magic Video Converter 8 0 2 18.exe
    McAfee Total Protection 2010.exe
    Microsoft Visual Basic KeyGen.exe
    Microsoft Visual C++ KeyGen.exe
    Microsoft Visual Studio KeyGen.exe
    Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.e
    Motorola, nokia, ericsson mobil phone tools.exe
    Mp3 Splitter and Joiner Pro v3.48.exe
    MSN Password Cracker.exe
    Myspace theme collection.exe
    Nero 9 9.2.6.0 keygen.exe
    NetBIOS Cracker.exe
    NetBIOS Hacker.exe
    Norton Anti-Virus 2005 Enterprise Crack.exe
    Norton Anti-Virus 2010 Enterprise Crack.exe
    Norton Internet Security 2010 crack.exe
    Password Cracker.exe
    PDF password remover (works with all acrobat reader).exe
    PDF to Word Converter 3.0.exe
    PDF Unlocker v2.0.3.exe
    PDF-XChange Pro.exe
    Power ISO v4.2 + keygen axxo.exe
    Rapidshare Auto Downloader 3.8.exe
    RapidShare Killer AIO 2010.exe
    sdbot with NetBIOS Spread.exe
    Sophos antivirus updater bypass.exe
    Sub7 2.3 Private.exe
    Super Utilities Pro 2009 11.0.exe
    Total Commander7 license+keygen.exe
    Trojan Killer v2.9.4173.exe
    Tuneup Ultilities 2010.exe
    Twitter FriendAdder 2.1.1.exe
    UT 2003 KeyGen.exe
    VmWare 7.0 keygen.exe
    VmWare keygen.exe
    Website Hacker.exe
    Winamp.Pro.v7.33.PowerPack.Portable+installer.exe
    Windows 2003 Advanced Server KeyGen.exe
    Windows 2008 Enterprise Server VMWare Virtual Machine.exe
    Windows 7 Ultimate keygen.exe
    Windows Password Cracker.exe
    Windows XP PRO Corp SP3 valid-key generator.exe
    Windows2008 keygen and activator.exe
    WinRAR v3.x keygen RaZoR.exe
    Youtube Music Downloader 1.0.exe
    YouTubeGet 5.4.exe
  • This way, the users that are looking for this type of programs could download and run them thinking they are inoffensive applications when they are copies of the worm.

Further Details  

Spybot.AKB is written in the programming language Visual C++ v5. This worm is 419,328 bytes in size.

 

Research carried out by Aitor Crespo.

>