Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

W32/Spybot-BM

Feb 27, 2004 12:13AM PST

Aliases
Worm.P2P.SpyBot.gen, W32/Spybot.worm.gen, W32.Spybot.Worm

Type
Win32 worm

Description
W32/Spybot-BM is a peer-to-peer worm and backdoor Trojan that copies itself into the Windows system folder using a random name and sets the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver

W32/Spybot-BM creates the folder kazaabackupfiles in the Windows system folder and copies itself there using various filenames.

The worm also sets the following registry entry to point to this folder:

HKCU\Software\Kazaa\LocalContent\Dir0

W32/Spybot-BM terminates regedit.exe, taskmgr.exe, msconfig.exe and netstat.exe. The worm also logs on to a predefined IRC server to wait for backdoor commands.

http://www.sophos.com/virusinfo/analyses/w32spybotbm.html

Discussion is locked