W32.Spacefam

Updated: January 16, 2012 Worm 0 Comment

W32.Spacefam is a harmful computer worm that propagates via social network sites particularly FaceBook. W32.Spacefam will steal user accounts and log-in credentials from victims profile. It will also send messages with malicious links to contacts found on compromised accounts.

Technical Information:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Manual Removal of W32.Spacefam:

1. Temporarily Disable System Restore.
2. Update the virus definitions.
3. Restart Windows in Safe Mode.
4. Run a full system scan and clean/delete all infected files.
5. Delete/Modify any values added to the registry.
6. Exit registry editor and restart Windows.

Scan with Norton Power Eraser:
A free removal tool from Norton Antivirus was developed to remove unfamiliar threats without using the traditional AV signatures. Download the tool from this location and start scanning the computer for viruses.

Technical Details and Additional Information:

Other functionalities of this Trojan:
- Download and execute files
- Block Internet access
- Redirect predefined URL to other web sites
- Embed snippets to online banking web sites to steal information

Malicious Files Added by W32.Spacefam:
%CurrentFolder%\photo.exe
%UserProfile%\Application Data\[RANDOM CHARACTERS 1].exe
%UserProfile%\Application Data\[RANDOM CHARACTERS 2].exe
%Temp%\[RANDOM CHARACTERS].tmp
%Windir%\Temp\[RANDOM CHARACTERS 1].tmp
%Windir%\Temp\[RANDOM CHARACTERS 2].tmp

Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”[RANDOM CHARACTERS 1].exe” = “%UserProfile%\Application Data\[RANDOM CHARACTERS 1].exe”
HKEY_LOCAL_MACHINE\SOFTWARE\facebook