Aliases W32.Kwbot.Worm, Worm.Win32.SdBot, W32/Moocow-A Type Win32 worm Description: W32/KWBot-A is a worm which exploits the Kazaa peer-to-peer network. When first executed the worm will copy itself to the Windows system folder as explorer32.exe. It will then create the following registry entries so that the copy is run each time Windows is started: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ Windows Explorer Update Build 1142 = explorer32 and HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Windows Explorer Update Build 1142 = explorer32 W32/KWBot-A will attempt to get unsuspecting users to download copies of itself by using filenames which may be attractive to other users, such as film titles or popular software. Examples of filenames used are : Star Wars Episode 2 - Attack of the Clones VCD CD1.exe Spiderman The Movie - The Game.exe Grand Theft Auto 3 CD1 ISO.exe ZoneAlarm Firewall Pro.exe Windows XP Professional iso.exe Unreal Tournament cracked (works on all servers).exe University Study Guide (cheat sheet).exe Quicken Pro 2002 iso.exe Perl Ultimate Study Guide.exe Office XP Corporate Ed. iso.exe Norton Utilities 2002.exe Microsoft Visual C++ 7.0 iso.exe MCSE Ultimate Study Guide.exe Max Payne full iso.exe Macromedia Flash 5.exe Kazaa Advertisement Ad remover.exe DSL Anonymizer.exe DoS Attacker.exe DivX Codec 6.0 beta (codec only).exe Credit Card number generator VERIFIER (cc cc#).exe cows gone wild.exe 100 XXX Passwords (verified 3-24-02).exe The worm may also allow attackers to gain control of an infected computer using commands transmitted over IRC.