Backdoor.SpyNet

Short bio

Backdoor.SpyNet is a Remote Access Trojan (RAT) application that may run in the background and silently collect information about the system, connected users, and network activity.  Backdoor.SpyNet may attempt to steal stored credentials, usernames and passwords and other personal and confidential information.  This information may be transmitted to a destination specified by the author.  Backdoor.SpyNet may allow an attacker to install additional software to the infected machine, or may direct the infected machine to participate in a malicious botnet for the purposes of sending spam or other malicious activities.

Symptoms

Backdoor.SpyNet may run silently in the background and may not provide any indication of infection to the user.  Backdoor.SpyNet may also disable Antivirus programs and other Microsoft Windows security features.

Type and source of infection

Backdoor.SpyNet may be distributed using various methods.  This software may be packaged with free online software, or could be disguised as a harmless program and distributed by email.  Alternatively, this software may be installed by websites using software vulnerabilities.  Infections that occur in this manner are usually silent and happen without user knowledge or consent.

Protection

Malwarebytes protects users from the installation of Backdoor.SpyNet

 

Malwarebytes detects and removes Backdoor.SpyNet

Remediation

Malwarebytes can detect and remove many Backdoor.SpyNet infections without further user interaction.

  1. Please download Malwarebytes to your desktop.
  2. Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
  3. Then click Finish.
  4. Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  5. If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  6. When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  7. Restart your computer when prompted to do so.

Malwarebytes removal log

A Malwarebytes log of removal will look similar to this:
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/22/18
Scan Time: 10:09 PM
Log File: f183bc49-2e4f-11e8-8ff4-00ffc8517b86.json
Administrator: Yes

-Software Information-
Version: 3.4.4.2398
Components Version: 1.0.322
Update Package Version: 1.0.4454
License: Premium

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 295941
Threats Detected: 9
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 2 min, 43 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 4
Backdoor.SpyNet, HKU\S-1-5-21-2165681608-3755637219-621560601-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|POLICIES, No Action By User, [231], [194026],1.0.4454
Backdoor.SpyNet, HKU\S-1-5-21-2165681608-3755637219-621560601-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|HKCU, No Action By User, [231], [194024],1.0.4454
Backdoor.SpyNet, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|POLICIES, No Action By User, [231], [194025],1.0.4454
Backdoor.SpyNet, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\RUN|POLICIES, No Action By User, [231], [194025],1.0.4454

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 1
Backdoor.Agent, C:\WINDOWS\SYSWOW64\SPYNET, No Action By User, [85], [181094],1.0.4454

File: 4
Backdoor.Bifrose.Trace, C:\USERS\FWIPLAYER\APPDATA\ROAMING\LOGS.DAT, No Action By User, [13148], [245772],1.0.4454
Trojan.Agent.Trace, C:\USERS\FWIPLAYER\APPDATA\LOCAL\TEMP\UUU.UUU, No Action By User, [2768], [248163],1.0.4454
Backdoor.Agent, C:\WINDOWS\SYSWOW64\SPYNET\SERVER.EXE, No Action By User, [85], [251509],1.0.4454
Trojan.Agent.Trace, C:\USERS\FWIPLAYER\APPDATA\LOCAL\TEMP\XXX.XXX, No Action By User, [2768], [248170],1.0.4454

Physical Sector: 0
(No malicious items detected)

(end)

(end)

Traces/IOCs

Associated files:

Spynet.exe, server.exe

 

 

Related blog content

Malwarebytes Backdoor.SpyNet removal forum topic

Information stolen? What now?

Why you don’t need 27 different passwords

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language