W32/Spybot-CD

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Spybot-CD is a backdoor Trojan and worm which spreads via file sharing on
Kazaa P2P networks and by copying itself to network shares that have weak
password protection on the $ADMIN share.

When first run W32/Spybot-CD copies itself to the Windows system folder as
mmtask5.exe and creates the following registry entries so that WUAUMGR.EXE
is run automatically on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Winsock2 driver = mmtask5.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\
Winsock2 driver = mmtask5.exe

W32/Spybot-CD creates a new sub-folder of the Windows system folder named
kazaabackupfiles\ and copies itself to this folder using various filenames
such as:

5 sluts rape willing male.exe
AVP_Crack.exe
Battlefield1942_bloodpatch.exe
Janet-Superbowl-tittys.exe
MS-Office-XP-Keygen.exe
PingPong.exe

W32/Spybot-CD then makes the new %SYSTEM%\kazaabackupfiles\ folder shareable on Kazaa networks by setting the registry entry:

HKCU\Software\Kazaa\LocalContent\
Dir0 = "012345:C:\WINDOWS\SYSTEM32\kazaabackupfiles\"

Each time W32/Spybot-CD runs it tries to connect to a remote IRC server and
join a specific channel. W32/Spybot-CD then runs continuously in the
background, listening on the channel for instructions.