W32/Spybot-Fam is a P2P worm that spreads via the KaZaA file sharing network.
W32/Spybot-Fam creates the folder %system%\kazaabackupfiles and copies itself there using several different filenames. Examples are:
Nero Burning Rom Crack.exe
Splinter cell no cd.exe
To enable sharing of these files the registry entry
is updated to point to this location.
In order to be run automatically on system startup, W32/Spybot-Fam copies itself to a file with a random name in the system folder and sets the following registry entries to point to this file.
W32/Spybot-Fam also copies itself to the file mscongfig.exe in the system folder.
While the worm is active it attempts to terminate various monitoring programs. The worm also logs keystrokes to the file keylog.txt in the system folder and attempts to steal passwords.
W32/Spybot-Fam has an IRC backdoor component that connects to a remote IRC server announcing the infection and allows a malicious user remote access to the computer.