Trojan:W32/Spybot.JT is distributed in a file named '7zs.sfx.exe'. Once executed, the malware creates files that run automatically each time the machine is started, takes screenshots and stores the captured images in a folder.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
When the '7zs.sfx.exe' file is launched, Trojan:W32/Spybot.JT installs itself on the machine so that its files automatically run at each system startup.
To do so, the malware first creates the following file:
The main bulk of the malicious action is performed by the svchost.exe file, which is also created at this point. To make sure these files are run each time the computer is started, the malware modifies the registry by editing the following keys:
The following mutex objects are also created to prevent re-infection of an already infected machine:
Once created, the 'mshelp.exe' file will create the following files:
It also uses the following files to support its later malicious actions:
The 'kver34t.bat' file then searches for and deletes the 'mshelp.exe' file. In order to do so, the 'kver34t.bat' file modifies the attributes of the 'mshelp.exe' file using the -a, -r, -s and -h attribute commands, which remove the archive, read-only, system and hidden permissions attributes; the file can then be deleted.
The svchost.exe process will create the following file:
While the malware is running on the infected machine, its main payload involves taking screenshots every few seconds continuously, which are saved at the following location: