W32/Spybot-BM

Please follow the instructions for removing worms.

Renaming the registry editor and editing the registry

• Using Windows explorer, browse to the Windows folder (usually C:\Windows or C:\Winnt) right-click Regedit.exe and make a copy of it.
• Rename the copy of Regedit.exe to Regedit.com.
• At the taskbar, click Start|Run. Type 'Regedit.com' and press Return. The registry editor opens.

You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver

and delete it if it exists.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\Winsock2 driver

and delete it if it exists.

Close the registry editor and reboot your computer.

W32/Spybot-BM is a peer-to-peer worm and backdoor Trojan that copies itself into the Windows system folder using a random name and sets the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver

W32/Spybot-BM creates the folder kazaabackupfiles in the Windows system folder and copies itself there using various filenames.

The worm also sets the following registry entry to point to this folder:

HKCU\Software\Kazaa\LocalContent\Dir0

W32/Spybot-BM terminates regedit.exe, taskmgr.exe, msconfig.exe and netstat.exe. The worm also logs on to a predefined IRC server to wait for backdoor commands.