W32/Spybot-C is a peer-to-peer worm that spreads via network drives and the KaZaA file sharing network.
W32/Spybot-C creates the folder <Windows system>\kazaabackupfiles and copies itself there using the following filenames:
Half-Life Keygen.exe
Edonkey Crack.exe
Retina Crack.exe
XBoX Emulator.exe
Battlefield 1912.exe
GTA3 Vice City (Real THING!).exe
To enable sharing of these files the registry entry
HKCU\Software\Kazaa\LocalContent\Dir0
is updated to point to this location.
W32/Spybot-C attempts to copy itself to the following folders on attached network drives:
Documents and Settings\All Users\Menu
Start\Programma's\Opstarten
WINDOWS\All Users\Start Menu\Programs\StartUp
WINNT\Profiles\All Users\Start Menu\Programs\Startup
WINDOWS\Start Menu\Programs\Startup
Documenti e Impostazioni\All Users\Start Menu\Programs\Startup
Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup
Documents and Settings\All Users\Start Menu\Programs\Startup
In order to be run automatically on system startup W32/Spybot-C copies itself to a the file explorer.exe in the Windows system folder and sets the following registry entries to point to this file:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Configuration File
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Configuration File
While W32/Spybot-C is active it attempts to terminate the following programs:
regedit.exe
msconfig.exe
taskmgr.exe
netstat.exe
W32/Spybot-C logs keystrokes to the file keylog.txt in the Windows system folder and attempts to steal passwords.
W32/Spybot-C has an IRC backdoor component that attempts to connect to the address jax.bsd.st announcing the infection and allowing a malicious user remote access to the computer.