W32/KWBot-A Worm

Discussion in 'malware problems & news' started by Paul Wilders, Jul 5, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands
    W32.Kwbot.Worm, Worm.Win32.SdBot, W32/Moocow-A

    Win32 worm


    W32/KWBot-A is a worm which exploits the Kazaa peer-to-peer network.

    When first executed the worm will copy itself to the Windows system folder as explorer32.exe. It will then create the following registry entries so that the copy is run each time Windows is started:

    Windows Explorer Update Build 1142 = explorer32


    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Windows Explorer Update Build 1142 = explorer32

    W32/KWBot-A will attempt to get unsuspecting users to download copies of itself by using filenames which may be attractive to other users, such as film titles or popular software.

    Examples of filenames used are :

    Star Wars Episode 2 - Attack of the Clones VCD CD1.exe
    Spiderman The Movie - The Game.exe
    Grand Theft Auto 3 CD1 ISO.exe
    ZoneAlarm Firewall Pro.exe
    Windows XP Professional iso.exe
    Unreal Tournament cracked (works on all servers).exe
    University Study Guide (cheat sheet).exe
    Quicken Pro 2002 iso.exe
    Perl Ultimate Study Guide.exe
    Office XP Corporate Ed. iso.exe
    Norton Utilities 2002.exe
    Microsoft Visual C++ 7.0 iso.exe
    MCSE Ultimate Study Guide.exe
    Max Payne full iso.exe
    Macromedia Flash 5.exe
    Kazaa Advertisement Ad remover.exe
    DSL Anonymizer.exe
    DoS Attacker.exe
    DivX Codec 6.0 beta (codec only).exe
    Credit Card number generator VERIFIER (cc cc#).exe
    cows gone wild.exe
    100 XXX Passwords (verified 3-24-02).exe

    The worm may also allow attackers to gain control of an infected computer using commands transmitted over IRC.
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.