Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems.
Slenfbot was first discovered in 2007 and, since then, numerous variants have followed; each with slightly different characteristics and new additions to the worm's payload, such as the ability to provide the attacker with unauthorized access to the compromised host.
The inclusion of other malware families and variants as well as its own continuous evolution, makes Slenfbot a highly effective downloader with a propensity to cause even more damage to compromised systems.
Some variants may make additional modifications to the registry in order to delete the originally executed copy of the worm when the system restarts.
[1][2][3][5][6] Some Slenfbot variants may, on initial execution, test to see if MSN/Windows Live Messenger is currently running by looking for a window with the class name "MSBLWindowClass".
The attacker would have to instruct the worm to spread to the remote system via exploit or instant messaging in order to continue the propagation of Slenfbot.
[1][5][6][7][8] The following steps may help prevent infection: Slenfbot uses stealth measures to maintain persistence on a system; thus, you may need to boot to a trusted environment in order to remove it.
Also, since many variants of Slenfbot attempt to propagate to available removable/remote drives and network shares, it is important to ensure the recovery process thoroughly detects and removes the malware from any and all known/possible locations.