W32/Spybot-DP

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Peer-to-peer
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	21 June 2005 08:20:41 (GMT)
Last updated	20 December 2005 22:45:42 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Change any data that may have become compromised.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

and remove any reference to any file you deleted.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\RunOnce\

and remove any reference to any file you deleted.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Spybot-DP is a worm and IRC backdoor Trojan for the Windows platform.

W32/Spybot-DP spreads via file sharing on P2P networks.

W32/Spybot-DP may also attempt to spread via backdoors left open by the following Trojans:

Troj/Kuang
Troj/Sub7

W32/Spybot-DP runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Spybot-DP includes functionality to:

- steal confidential information
- carry out DDoS flooder attacks
- provide a proxy server
- silently download, install and run new software
- create a HTTP server

When first run W32/Spybot-DP copies itself to:

<System>\<random filename>
<System>\kazaabackupfiles\download_me.exe
<System>\wuaumqr.exe

The following registry entries are created to run wuaumqr.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Winsock2 driver
WUAUMQR.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Winsock2 driver
WUAUMQR.EXE

Registry entries are created under:

HKCU\Software\Kazaa\LocalContent\
Dir0
012345:C:\\WINDOWS\\SYSTEM32\\kazaabackupfiles\\

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Spybot-DP

Summary

Action

More Information