Summary
Summary
Action- More Information
| Included in our products from | August 2002 (3.60) |
|---|---|
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please read the instructions for removing worms.
You will also need to edit the following registry entries, if they are present.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Explorer Update Build 1142 = explorer32
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Explorer Update Build 1142 = explorer32
and delete them if they exist.
Close the registry editor.
More Information
W32/KWBot-A is a worm which exploits the KaZaA peer-to-peer network.
When first executed the worm will copy itself to the Windows system folder as explorer32.exe. It will then create the following registry entries so that the copy is run each time Windows is started:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Explorer Update Build 1142 = explorer32
and
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
Windows Explorer Update Build 1142 = explorer32
W32/KWBot-A will attempt to get unsuspecting users to download copies of itself by using filenames which may be attractive to other users, such as film titles or popular software.
Examples of filenames used are:
Star Wars Episode 2 - Attack of the Clones VCD CD1.exe
Spiderman The Movie - The Game.exe
Grand Theft Auto 3 CD1 ISO.exe
ZoneAlarm Firewall Pro.exe
Windows XP Professional iso.exe
Unreal Tournament cracked (works on all servers).exe
University Study Guide (cheat sheet).exe
Quicken Pro 2002 iso.exe
Perl Ultimate Study Guide.exe
Office XP Corporate Ed. iso.exe
Norton Utilities 2002.exe
Microsoft Visual C++ 7.0 iso.exe
MCSE Ultimate Study Guide.exe
Max Payne full iso.exe
Macromedia Flash 5.exe
Kazaa Advertisement Ad remover.exe
DSL Anonymizer.exe
DoS Attacker.exe
DivX Codec 6.0 beta (codec only).exe
Credit Card number generator VERIFIER (cc cc#).exe
cows gone wild.exe
100 XXX Passwords (verified 3-24-02).exe
The worm may also allow attackers to gain control of an infected computer using commands transmitted over IRC.
|
