W32/Spybot-R
14 October 2003, 03:49 PM
#1
Moderator
Thread Starter
iTrader: (5)
Join Date: Nov 2001
Location: Not all those who wander are lost
Posts: 17,863
Received 0 Likes
on
0 Posts
W32/Spybot-R is a P2P worm that spreads via the KaZaA file sharing network.
Upon execution, W32/Spybot-R displays the fake error message
"Runtime Error", "Unable to locate Smartinstl32.dll. Re-installing the application may fix the problem".
The worm creates the folder <system>\kazaabackupfiles and copies itself there using several different filenames, including:
Battlefield_1942.Keygen.FDX.ShareReactor.exe
C&C.Generals-keygen.exe
cs-keygen.exe
dev-nfs.exe
eatop605kg.exe
Freelancer Keygen.exe
hv-Max5-kg.exe
Opera601key.exe
PowerDVD XP v4.0 Keygen.exe
QuickTime 6 Pro keygen.exe
Sonic Foundry ACID Pro 4.0 Keygen(1).exe
VMware 320 keygen (1).exe
Windows XP Professional Keygen by CaFo.exe
To enable sharing of these files the registry entry HKCU\Software\Kazaa\LocalContent\Dir0 is updated to point to this location.
In order to be run automatically on system startup the worm copies itself to explorer64.exe in the Windows system folder and adds the following registry entries which point to this file:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \Microsof Explorer(64)
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once\Microsof Explorer(64)
W32/Spybot-R has an IRC backdoor component which has keylogging and backdoor capibilities. The worm connects to an IRC server announcing the infection and allows a malicious user remote access to the computer.
Upon execution, W32/Spybot-R displays the fake error message
"Runtime Error", "Unable to locate Smartinstl32.dll. Re-installing the application may fix the problem".
The worm creates the folder <system>\kazaabackupfiles and copies itself there using several different filenames, including:
Battlefield_1942.Keygen.FDX.ShareReactor.exe
C&C.Generals-keygen.exe
cs-keygen.exe
dev-nfs.exe
eatop605kg.exe
Freelancer Keygen.exe
hv-Max5-kg.exe
Opera601key.exe
PowerDVD XP v4.0 Keygen.exe
QuickTime 6 Pro keygen.exe
Sonic Foundry ACID Pro 4.0 Keygen(1).exe
VMware 320 keygen (1).exe
Windows XP Professional Keygen by CaFo.exe
To enable sharing of these files the registry entry HKCU\Software\Kazaa\LocalContent\Dir0 is updated to point to this location.
In order to be run automatically on system startup the worm copies itself to explorer64.exe in the Windows system folder and adds the following registry entries which point to this file:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \Microsof Explorer(64)
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once\Microsof Explorer(64)
W32/Spybot-R has an IRC backdoor component which has keylogging and backdoor capibilities. The worm connects to an IRC server announcing the infection and allows a malicious user remote access to the computer.
14 October 2003, 05:40 PM
#4
Scooby Senior
"This family of worms is expanding extremely rapidly (89 variants currently) and new variants are constantly being covered by our generic detection. For up-to-date protection from the latest variants you need to use the latest DATs."
