What is spooldr.sys?

The file spooldr.sys damages the stability of integral processes necessary for MS Windows OS versions to run properly. The spooldr.sys infects computers running on MS Windows by making use of the Trojan.Packed.13 malware application.


The Trojan.Packed.13 is a malicious process that is distributed through spam known as Peacomm. The Peacomm spam convinces its recipients to navigate their browsers to a website with an applet.exe link. The site also executes a JavaScript routine that embeds a process which exploits a WMP vulnerability. The WMP vulnerability is exploited by the JavaScript routine after users cancel access to a "Secure Login Applet" that is launched upon visiting the website.

At this point, a successful exploitation of the WMP vulnerability will initialize the download of a small process to the compromised machine. The small process then executes the download and subsequent initialization of the applet.exe on the MS Windows-based machine. Both of these malicious applications are known as Trojan.Packed.13.

Afterwards, the execution of applet.exe is initialized. This allows it to produce a copy of itself that is dropped to the Windows folder of the system partition as spooldr.exe. This in turn provides the malware process with the capability to deploy a kernel driver known as spooldr.sys, which is dropped to the System folder of the MS Windows partition. The spooldr.sys then initializes the execution of the spooldr.exe file by making use of a process similar to a shellcode routine on MS Windows Explorer.