W32/Spybot-Fam

Category: Viruses and Spyware Protection available since:04 Jun 2003 00:00:00 (GMT)
Type: Win32 worm Last Updated:25 Sep 2006 00:00:00 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Spybot-Fam is a P2P worm that spreads via the KaZaA file sharing network.

W32/Spybot-Fam creates the folder %system%\kazaabackupfiles and copies itself there using several different filenames. Examples are:

AVP_Crack.exe
Adultbouncer_cracks.exe
AquaNox2 Crack.exe
Battlefield1942_bloodpatch.exe
C&C Generals_crack.exe
FIFA2003 crack.exe
Generals_no_cd_crack.exe
Half-life_cheats.exe
NBA2003_crack.exe
Nero Burning Rom Crack.exe
Norton_AV_crack.exe
Photoshop7_crack.exe
Porn.exe
Splinter cell no cd.exe
UT2003_bloodpatch.exe
Unreal2_bloodpatch.exe
Windows_keygen.exe
bf1942 patch.exe
zoneallarm_pro_crack.exe.

To enable sharing of these files the registry entry

HKCU\Software\Kazaa\LocalContent\Dir0

is updated to point to this location.

In order to be run automatically on system startup, W32/Spybot-Fam copies itself to a file with a random name in the system folder and sets the following registry entries to point to this file.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver

W32/Spybot-Fam also copies itself to the file mscongfig.exe in the system folder.

While the worm is active it attempts to terminate various monitoring programs. The worm also logs keystrokes to the file keylog.txt in the system folder and attempts to steal passwords.

W32/Spybot-Fam has an IRC backdoor component that connects to a remote IRC server announcing the infection and allows a malicious user remote access to the computer.

download Try Sophos products for free
Download now