W32/Spar-A is a P2P worm for the Windows platform.
W32/Spar-A copies an RAR archive of itself using over 300 filenames to a number of P2P folders, including those for the following applications:
eMule
LimeWire
eDonkey
Ares
BearShare
Kazaa
Kazaa Lite
Shareaza
Warez
W32/Spar-A will also start or restart these applications.
W32/Spar-A attempts to copy itself to <System>\WinSpooler.exe and <Temp>\runme.exe and sets the following registry to run itself on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Windows Printing Driver
WinSpooler.exe
W32/Spar-A may display the following fake message:
Patch applied succesfully! If your software is still trial maybe you need to install it before patch it.
W32/Spar-A drops the following files:
<Temp>\temp_01.exe (also detected as W32/Spar-A)
<Temp>\temp_01.rar (also detected as W32/Spar-A)
<System>\rar.exe (clean archiving utility)
The file temp_01.exe attempts to copy itself to <System>\WinUpdating.exe if run, and sets the following registry entry to run itself on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
WinUpdating
WinUpdating.exe