W32/Spybot-V

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Winsock2 driver= iexplore.exe

and delete it if it exists.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Winsock2 driver= iexplore.exe

and delete it if it exists.

Close the registry editor and reboot your computer.

W32/Spybot-V is a peer-to-peer worm and backdoor Trojan that copies itself into the Windows system folder with the name iexplore.exe or with a random name and sets the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Winsock2 driver= iexplore.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Winsock2 driver= iexplore.exe

The worm creates the folder <System>\kazaabackupfiles and copies itself into this folder as divx.exe, fdd.exe, fuck.exe, gay.exe, lesbiansex.exe, matrix.exe, pamela.exe, porn.exe, slsk.exe, torrent.exe and xvid.exe and sets the following registry entry to point to this folder:

HKCU\Software\Kazaa\LocalContent\Dir0

W32/Spybot-V terminates certain utility programs and logs on to a predefined IRC server and waits for backdoor commands.