W32/Blaxe-A Aliases Worm.P2P.Blaxe, Win32/Lablan.A, W32.HLLW.Blaxe, WORM_BLAXE.A Type Win32 worm Description W32/Blaxe-A is a worm which spreads via file sharing on P2P networks. When first run W32/Blaxe-A copies itself to the Windows folder as BearShare.exe and WinBat.exe and creates the following registry entries so that BearShare.exe is run automatically each time Windows is started: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\BearShare = %WINDOWS%BearShare.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BearShare = %WINDOWS%\BearShare.exe W32/Blaxe-A adds the pathname of WinBat.exe to the following registry entry so that WinBat.exe is run each time a MS-DOS batch file is run or opened: HKLM\Software\CLASSES\batfile\shell\open\command W32/Blaxe-A creates a sub-folder of the Windows folder named \Kernell\, with the Hidden attribute set, and copies itself to this folder using filenames such as: Read more: http://www.sophos.com/virusinfo/analyses/w32blaxea.html