high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please follow the instructions for removing worms.
You should change any passwords that may have become compromised.
Windows NT/2000/XP
In Windows NT/2000/XP you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver
and delete them if they exist.
Close the registry editor.
More Information
W32/Spybot-B is a peer-to-peer worm that spreads via the KaZaA file sharing network.
W32/Spybot-B creates the folder <Windows system32>\kazaabackupfiles and copies itself there using the following filenames:
download_me.exe
zoneallarm_pro_crack.exe
AVP_Crack.exe
PornScreenSaver.exe
Battlefield1942_bloodpatch.exe
Unreal2_bloodpatch.exe
UT2003_bloodpatch.exe
AquaNox2
Crack.exe
NBA2003_crack.exe
FIFA2003
crack.exe
C&C Generals_crack.exe
nt_spread.exe
NetBios_Spread.exe
Dancing_Screensaver.exe
NudeDance_202Brittany.exe
DancingPlayboySpread.exe
Ejay_crack20.exe
The_REASON_CRACK_LEGIT.exe
Dance.exe
Matrix_ScreenSaver.exe
Netstat.exe
conf32.exe
sdbot_nt_mod.exe
netbios_patch.exe
Hack_scanner.exe
cisco_scan.exe
ULTIMATE_scanner.exe
Battlefield1942_Keygen.exe
ALL_WIN_osSERIAL-keygen.exe
winXP_keygen.exe
serials_2002ALLUPDATE.exe
To enable sharing of these files the registry entry
HKCU\Software\Kazaa\LocalContent\Dir0
is updated to point to this location.
In order to be run automatically on system startup W32/Spybot-B copies itself to the Windows system folder with the filename TESTING.EXE and sets the following registry entries to point to this file:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver
While W32/Spybot-B is active it attempts to terminate the following programs:
regedit.exe
msconfig.exe
taskmgr.exe
netstat.exe
W32/Spybot-B also logs keystrokes to the file testing.txt in the Windows system folder and attempts to steal passwords.
W32/Spybot-B has an IRC backdoor component that attempts to contact an intruder announcing the infection and allowing a malicious user remote access to the computer.
|
