W32/Spybot-CA

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Protection available since	21 May 2004 10:34:09 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Windows NT/2000/XP

In Windows NT/2000/XP you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Configuration Default = WUXAT.EXE

and delete it if it exists.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunOnce\Configuration Default = WUXAT.EXE

and delete it if it exists.

Close the registry editor and reboot your computer.

More Information

Summary
Action
More Information

W32/Spybot-CA is a peer-to-peer worm and backdoor Trojan that copies itself
into the Windows system folder as WUXAT.EXE using a random name and sets the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Configuration Default = WUXAT.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Configuration Default = WUXAT.EXE

W32/Spybot-CA creates the folder kazaabackupfiles in the Windows system
folder and copies itself there using the following filenames:

AVP_Crack.exe
Battlefield1942_bloodpatch.exe
Unreal2_bloodpatch.exe
avg-pro_crack.exe
divx_codec.exe
gta3_patchfr.exe
keygen.exe
mirc_crack.exe
movie_xxx.exe
norton_crack.exe
paris_hilton_movie_xxx.exe
windows_crack.exe
windows_xp.exe
zone_alarm_crack.exe

The worm also sets the following registry entry to point to this folder:

HKCU\Software\Kazaa\LocalContent\
Dir0 = 012345:C:\\WINDOWS\\SYSTEM32\\kazaabackupfiles\\

W32/Spybot-CA terminates msconfig.exe and netstat.exe. The worm also logs
on to a predefined IRC server to wait for backdoor commands.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Spybot-CA

Summary

Action

More Information