Spybot.AKB carries out the following actions:
- It reaches the computer in a file with the following icon (the name of the file can be different):
- Once run, it drops a file which installs an extension for Firefox and Chrome browsers, as can be seen in the image below:
- In spite of choosing the Disable (Desactivar) or Uninstall (Desinstalar) option, the extension is disabled or uninstalled, but the file that has installed it remain memory resident.
- This extension is used to redirect certain seraches carries out by the user to websites that can contain malware.
- When users do searches that contain any of the following text strings, the extension is activated and starts redirecting to other websites:
A: Airlines, Amazon,Antivir, Antivirus.
B: Baseball, Books.
C: Casino, Chrome, Cialis, Cigarettes, Comcast, Craigslist, Credit.
D: Dating, Design, Doctor.
F: Fashion, Finance, Firefox, Flifhts, Flower, Football
G: Gambling, Gifts, Graphic.
H: Health, Hotel.
I: Insurance, Iphone.
M: Medical, Military, Mobile, Money, Mortgage, Movie, Music, Myspace.
P: Pharma, Pocker.
S: School, Software, Sport, Spybot, Spyware.
T: Trading, Tramadol, Travel, Twitter.
V: Verizon, Video, Virus, Vocations.
W: Wallpaper, Weather.
- For example, if users do a search that contain the word "Antivirus" or "Virus", it attempts to connect to a website like the following whose address contain the keyword entered by the users:
- These addresses are no longer available: therefore users are not redirected to any malicious website, but to the legitimate website of the Bing searcher.
- The real purpose was to redirect users to malicious websites from which more malware would be downloaded.
On the other hand, Spybot.AKB carries out other actions to reduce the security level of the computer:
- It adds itself to the list of authorized applications by the Windows firewall in order to bypass it.
- It disables the Windows error reporting service.
- It disables the User Access Control service (UAC). It is a service which, on Windows 7/Vista computers, informs users of any program that attempts to be run or access the computer.
Spybot.AKB creates the following files in the Windows system directory:
- GOOGLEUPDATES.EXE, which is a copy of the worm.
Spybot.AKB creates the following entries in the Windows Registry:
Google Update3 = %sysdir%\GoogleUpdates.exe
where %sysdir% is the Windows system directory.
By creating this entry, Spybot.AKB ensures that it is run whenever Windows is started.
- HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SharedAccess\ Parameters\ FirewallPolicy\ StandardProfile\ AuthorizedApplications\ List
%sysdir%\GoogleUpdates.exe = %sysdir%\GoogleUpdates.exe:*:Enabled:Explorer
By creating this entry, Spybot.AKB adds itself to the list of authorized programs by the Windows firewall.
EnableLUA = 00, 00, 00, 00
It disables the User Access Control (UAC).
It is a Windows 7/Vista feature that warns users of any program that attempts to be run or access the computer.
DeleteFlag = 01, 00, 00, 00
FailureActions = 0A, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 01, 00, 00, 00, 54, 00, 41, 00, 00, 00, 00, 00, B8, 0B, 00, 00
By creating these two entries, it disables the Windows error reporting service.
google5 = 02
google6 = 10
Spybot.AKB modifies the following entry from the Windows Registry so that the Windows error reporting error is not automatically run:
Start = 02, 00, 00, 00
It changes this entry to:
Start = 04, 00, 00, 00
Means of transmission
Spybot.AKB uses several means to spread itself in order to infect as many computers as possible.
Spybot.AKB spreads via email messages and P2P programs.
1.- Email messages
It reaches the computer in an email message that seems to be an invitation to Twitter sent by some friend. The message contains the Twitter logo and several links that point to the real Twitter website.
However, in order to accept the invitation or know who has sent it, the attached file has to be run. This file contains a copy of the worm, so if it is run, the computer will be affected by Spybot.AKB.
The email message used to distribute the worm is like the following:
If the attached file called INVITATION CARD.ZIP is decompressed, users will see that i contains a file that seems to be an image, as it has a JPG extension. However, after several blank spaces the EXE extensions can be seen:
2.- P2P programs
In order to do so, it follows the routine below:
- The worm creates copies of itself in the shared folders of the following P2P programs:
- It uses the following names, passing itself off as interesting applications:
Absolute Video Converter 6.2.exe
Adobe Acrobat Reader keygen.exe
Adobe Illustrator CS4 crack.exe
Adobe Photoshop CS4 crack.exe
Alcohol 120 v1.9.7.exe
AnyDVD HD v.22.214.171.124 Beta incl crack.exe
AOL Instant Messenger (AIM) Hacker.exe
AOL Password Cracker.exe
Ashampoo Snap 3.02.exe
Avast 4.8 Professional.exe
BitDefender AntiVirus 2010 Keygen.exe
Blaze DVD Player Pro v6.52.exe
Brutus FTP Cracker.exe
CleanMyPC Registry Cleaner v6.02.exe
Daemon Tools Pro 4.11.exe
DivX 5.0 Pro KeyGen.exe
Divx Pro 7 + keymaker.exe
Download Accelerator Plus v9.exe
Download Boost 2.0.exe
DVD Tools Nero 10.5.6.0.exe
G-Force Platinum v3.7.5.exe
Google SketchUp 7.1 Pro.exe
Grand Theft Auto IV (Offline Activation).exe
Half-Life 2 Downloader.exe
Image Size Reducer Pro v1.0.1.exe
Internet Download Manager V5.exe
Kaspersky AntiVirus 2010 crack.exe
Kaspersky Internet Security 2010 keygen.exe
K-Lite Mega Codec v5.5.1.exe
K-Lite Mega Codec v5.6.1 Portable.exe
L0pht 4.0 Windows Password Cracker.exe
LimeWire Pro v4.18.3.exe
Magic Video Converter 8 0 2 18.exe
McAfee Total Protection 2010.exe
Microsoft Visual Basic KeyGen.exe
Microsoft Visual C++ KeyGen.exe
Microsoft Visual Studio KeyGen.exe
Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.e
Motorola, nokia, ericsson mobil phone tools.exe
Mp3 Splitter and Joiner Pro v3.48.exe
MSN Password Cracker.exe
Myspace theme collection.exe
Nero 9 126.96.36.199 keygen.exe
Norton Anti-Virus 2005 Enterprise Crack.exe
Norton Anti-Virus 2010 Enterprise Crack.exe
Norton Internet Security 2010 crack.exe
PDF password remover (works with all acrobat reader).exe
PDF to Word Converter 3.0.exe
PDF Unlocker v2.0.3.exe
Power ISO v4.2 + keygen axxo.exe
Rapidshare Auto Downloader 3.8.exe
RapidShare Killer AIO 2010.exe
sdbot with NetBIOS Spread.exe
Sophos antivirus updater bypass.exe
Sub7 2.3 Private.exe
Super Utilities Pro 2009 11.0.exe
Total Commander7 license+keygen.exe
Trojan Killer v2.9.4173.exe
Tuneup Ultilities 2010.exe
Twitter FriendAdder 2.1.1.exe
UT 2003 KeyGen.exe
VmWare 7.0 keygen.exe
Windows 2003 Advanced Server KeyGen.exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Windows 7 Ultimate keygen.exe
Windows Password Cracker.exe
Windows XP PRO Corp SP3 valid-key generator.exe
Windows2008 keygen and activator.exe
WinRAR v3.x keygen RaZoR.exe
Youtube Music Downloader 1.0.exe
- This way, the users that are looking for this type of programs could download and run them thinking they are inoffensive applications when they are copies of the worm.
Spybot.AKB is written in the programming language Visual C++ v5. This worm is 419,328 bytes in size.
Research carried out by Aitor Crespo.>