Backdoor.K0wbot.1.2 / 1.3.A / 1.3.B( W32.Kwbot.Worm )
SYMPTOMS: [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] [HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices] TECHNICAL DESCRIPTION: This is another Internet worm that uses the popular file sharing KaZaA network to spread; besides this, it includes an IRC remote control backdoor component. It is written in C and the executable is compressed and crypted; it also uses some protection techniques to make reverse-engineering difficult.When run, the virus copies itself as explorer32.exe in the Windows System folder and registers this copy to be run at every Windows start-up by creating the registry entries described above. The virus creates a temporary file c:\moo.reg that is used to set the value of the registry entry [HKCU\Software\Kazaa\LocalContent\DisableSharing] to 0 (in order to enable sharing of KaZaA files). The virus makes aprox. 150 copies of itself in the KaZaA shared folder, using the names of appealing software/media files:  The backdoor component connects to an IRC (Internet Relay Chat) server and allows remote control of the infected computer (after a password authentification), including the ability to perform the following actions on the "victim" computer: Removal instructions: The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you'll have to manually delete the infected files located in archives and the infected messages from your mail client. The BitDefender AntiKowBot.exe tool does the following: You may also need to restore the affected files. ANALYZED BY: Bogdan Dragu BitDefender Virus Researcher |
