W32/Steph-B is a KaZaA worm for the Windows platform. It also drops an IRC backdoor Trojan.
W32/Steph-B is a KaZaA worm for the Windows platform. It also drops an IRC backdoor Trojan.
When run, W32/Steph-B copies itself to the system folder as DirectXset.exe. The following Registry entry is added to hook system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DirectX64
<system>\DirectXset.exe
The worm creates a 'Setup32' folder within the system folder and sets the following Registry entry to point to it:
HKCU\Software\Kazaa\LocalContent\Dir0
Several copies of the worm with enticing filenames are created in this folder:
Audio Catalyst 2.1.exe
Borland Delphi 7 Crack.exe
CladDVD XP 2 by fosi.exe
GFI Languard V4 Beta.exe
How to use Languard.exe
MS Windows Keygenerator all Versions_XP_2k_ME_98_95 .exe
Mc Affee anti Virus Scan Patch.exe
Medal of Honor by TNT Keygenerator.exe
Movie Jack 2.exe
Nero 5.5.9.14 Full + All Plugins Updates + Serial Keygen.exe
Norton AntiVirus 2003 Crack by Reality.exe
Office XP Keygenerator.exe
Partition Magic 7.exe
PowerDVD 5 - Keygenerator.exe
ProgDVB 3.29.exe
Quake all Versions Keygenerator.exe
Sim City 4 Download FULL.exe
SimCity 4 No CD Crack.exe
Ultra edit 32 new version + serial.exe
Unreal 2003 cd Crack 4 Ver 2166.exe
Unreal 2003.exe
Unreal Tournament 2003 internet Keygenerator-NEW.exe
WinDVD Platinum all languages.exe
Winamp 4 Beta.exe
Windows Longhorn Alpha Security Patch.exe
Zone Alarm Security Patch - 2003.exe
W32/Steph-B also drops an IRC backdoor Trojan as msedit32.exe in the system folder. This file is already detected by Sophos as W32/Sdbot-Gen. Once run, the IRC Trojan connects to a remote server to await commands. The following Registry entries are created to hook system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Efficiency Monitor
msedit32.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
System Efficiency Monitor
msedit32.exe