W32/Spybot-DO

Please follow the instructions for removing worms.

W32/Spybot-DO is a worm that spreads through network shares and backdoors left open by other worms and Trojans. W32/Spybot-DO has backdoor capabilities.

Upon execution the worm copies itself into the Windows system folder with the name winsock3.exe and sets the following registry entries so that it is run on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
winsockdriver
winsock3.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
winsockdriver
winsock3.exe

W32/Spybot-DO also changes the following registry entry:

from:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
explorer.exe

to:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
explorer.exe winsock3.exe

W32/Spybot-DO also adds an entry under the Boot section of System.ini:
shell=explorer.exe winsock3.exe

W32/Spybot-DO drops itself to the following startup folders of shared network drives as wlnstart.exe.

WINDOWS\All Users\Startmenn\Programme\Autostart
Dokumente und Einstellungen\All Users\Startmen\programme\autostart
Documents and Settings\All Users\Menu Start\Programma's\Opstarten
WINDOWS\All Users\Start Menu\Programs\StartUp
WINNT\Profiles\All Users\Start Menu\Programs\Startup
WINDOWS\Start Menu\Programme\Autostart
WINDOWS\Start Menu\Programma's\Opstarten
WINDOWS\Start Menu\Programs\Startup
Documenti e Impostazioni\All Users\Start Menu\Programs\Startup
Dokumente und Einstellungen\All Users\Start Menu\Programs\Startup
Documents and Settings\All Users\Start Menu\Programs\Startup

W32/Spybot-DO monitors running processes and terminates regedit.exe,taskmgr.exe, msconfig.exe and netstat.exe if found running.

The worm then adds an entry in win.ini of the remote computer and also schedules a remote job to run the remote copy of the worm.

The worm logs on to a predefined IRC server to wait for backdoor commands.