high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please follow the instructions for removing worms.
You should change your passwords if they may have been compromised.
You will also need to edit the following registry entries. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Configuration File
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Configuration File
and delete them if they exist.
Close the registry editor.
More Information
W32/Spybot-C is a peer-to-peer worm that spreads via network drives and the KaZaA file sharing network.
W32/Spybot-C creates the folder <Windows system>\kazaabackupfiles and copies itself there using the following filenames:
Half-Life Keygen.exe
Edonkey Crack.exe
Retina Crack.exe
XBoX Emulator.exe
Battlefield 1912.exe
GTA3 Vice City (Real THING!).exe
To enable sharing of these files the registry entry
HKCU\Software\Kazaa\LocalContent\Dir0
is updated to point to this location.
W32/Spybot-C attempts to copy itself to the following folders on attached network drives:
Documents and Settings\All Users\Menu
Start\Programma's\Opstarten
WINDOWS\All Users\Start Menu\Programs\StartUp
WINNT\Profiles\All Users\Start Menu\Programs\Startup
WINDOWS\Start Menu\Programs\Startup
Documenti e Impostazioni\All Users\Start Menu\Programs\Startup
Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup
Documents and Settings\All Users\Start Menu\Programs\Startup
In order to be run automatically on system startup W32/Spybot-C copies itself to a the file explorer.exe in the Windows system folder and sets the following registry entries to point to this file:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Configuration File
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\Configuration File
While W32/Spybot-C is active it attempts to terminate the following programs:
regedit.exe
msconfig.exe
taskmgr.exe
netstat.exe
W32/Spybot-C logs keystrokes to the file keylog.txt in the Windows system folder and attempts to steal passwords.
W32/Spybot-C has an IRC backdoor component that attempts to connect to the address jax.bsd.st announcing the infection and allowing a malicious user remote access to the computer.
|
