W32/Spybot-R

Aliases	W32.Spybot.Worm Worm.P2P.SpyBot.gen
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Protection available since	14 October 2003 14:06:03 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Change any passwords that may have become compromised.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Explorer(64)

and delete it if it exists.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Explorer(64)

and delete it if it exists.

Close the registry editor and reboot your computer.

More Information

Summary
Action
More Information

W32/Spybot-R is a P2P worm that spreads via the KaZaA file sharing network.

Upon execution, W32/Spybot-R displays the fake error message
"Runtime Error", "Unable to locate Smartinstl32.dll. Re-installing the application may fix the problem".

The worm creates the folder <system>\kazaabackupfiles and copies itself there using several different filenames, including:

Battlefield_1942.Keygen.FDX.ShareReactor.exe C&C.Generals-keygen.exe cs-keygen.exe dev-nfs.exe eatop605kg.exe Freelancer Keygen.exe hv-Max5-kg.exe Opera601key.exe PowerDVD XP v4.0 Keygen.exe QuickTime 6 Pro keygen.exe Sonic Foundry ACID Pro 4.0 Keygen(1).exe VMware 320 keygen (1).exe Windows XP Professional Keygen by CaFo.exe

To enable sharing of these files the registry entry

HKCU\Software\Kazaa\LocalContent\Dir0

is updated to point to this location.

In order to be run automatically on system startup the worm copies itself to explorer64.exe in the Windows system folder and adds the following registry entries which point to this file:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Microsoft Explorer(64)

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Microsoft Explorer(64)

W32/Spybot-R has an IRC backdoor component which has keylogging and backdoor capabilities. The worm connects to an IRC server announcing the infection and allows a malicious user remote access to the computer.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Spybot-R

Summary

Action

More Information