W32/Zipwire-A

Aliases	Trojan-Downloader.Win32.VB.dck TR/Dldr.VB.dck TROJ_VB.CEO Win32/Pizbot.gen
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Peer-to-peer
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Included in our products from	July 2008 (4.31)
Protection available since	15 May 2008 18:25:09 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Zipwire-A is a peer-to-peer worm for the Windows platform that spreads using the LimeWire and FrostWire file sharing applications.

W32/Zipwire-A arrives as a zip archive containing a single file named Setup.exe, typically downloaded from the file sharing network.

W32/Zipwire-A contains a backdoor that connects to an IRC server and allows a remote user to access the computer.

W32/Zipwire-A creates a zipped copy of itself in <Windows>\Fonts\a.zip and shares it on the peer-to-peer network using the names of popular shared files.

W32/Zipwire-A obtains a list of potential filenames for copies of itself shared on the peer-to-peer network by downloading torrent listing pages from several BitTorrent tracking sites and parsing them for torrent filenames.

When first run W32/Zipwire-A copies itself to <Windows>\Fonts\svchost.exe and <Windows>\Fonts\Setup.exe and creates the following registry entry in order to run on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Host Process
<Windows>\Fonts\svchost.exe

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Zipwire-A

Summary

Action

More Information