Virus Spreading On Kazaalite

[newcster68]

Just a little info I think u should all know considering my Norton Antivirus picked this up when I tried to open something up that I downloaded from KazaaLite thinking it was something else..

W32.Kwbot.F.Worm

Copies itself to the %Windir%\sCache32 folder as the following filenames:

2 Find MP3 8.2.0.exe
AC3-MP3 converter.exe
ACDSee 5.5b.exe
ACDSee Classic 2.79.exe
Ad-aware 6.5 (new)Download Accelerator Plus 6.3.exe
Adobe Acrobat Reader 5.6.exe
Adobe PhotoShop 7.1 crack.exe
All Editor 3.0b.exe
AOL Instant Messenger 6.1.exe
Auction Sentry (new).exe
AudioLabel CD Labeler 3.0 (+crack).exe
Battlefied1942 Pack4 (crack+bloodpatch).exe
BearShare 5.1.1.exe
C&C Generals Pack2 (new patch).exe
Complete UK Music Database 4.2.exe
DirectDVD 4.9.exe
DivX Bundle 6.2.exe
DivX edit (new).exe
DivX Video Bundle 5.5.1.exe
DvD Rip guide (+tools) st0rm.exe
Dynamite Downloads.exe
Easy CD Creator Software Update.exe
FlashFXP (keygen).exe
FreeRip 4.30.exe
Genie Stream 3.2.4.exe
GetRight 5.5 + crack.exe
Global DiVX Player 2.0.1.exe
Gothic 2 (m-patch).exe
Grokster 2.0.exe
Hacker Tutorial (by ph3Akz).exe
Half-Life keygen (+ogc hack).exe
HL keys (working).exe
I.G.I. 2 (new crack).exe
ICQ Lite beta (b2253).exe
ICQ Pro 2003a beta (b4600).exe
iMesh 4.1 beta.exe
iSnipeIt 5.0c.exe
James Bond 007 Nightfire crack.exe
Kazaa Media Desktop 2.5.exe
Kazaa Skins 1.8.exe
KaZooM MP3 Kazaa Accelerator 2.5.exe
Medal Of Honor (Allied Assault) crack.exe
Microangelo 6.0b.exe
mIRC 6.x addon patch.exe
mIRC s3th war-script.exe
Morpheus 2.6.exe
MP3 cut pro 3.0.exe
MSN Messenger 5.5.10.exe
Need for Speed 6 (new cars + crack).exe
NeoNapster 3.92.exe
Nero Burning ROM 5.8.2.4.exe
Network Cable + ADSL Speed 2.0 (beta).exe
New Nvidia (geForce) drivers (beta).exe
Nimo Codec Pack 9.0 (stable).exe
Nvidia Detonator XP Drivers (Windows XP/2000).exe
Operation Flashpoint (bloopatch).exe
Patch Creator 3.5a.exe
PhotoShow 3.1.exe
Pop-Up Stopper 4.0 (beta).exe
Ps2 to Pc tutorial (+tool).exe
QuickTime 7.2 (new).exe
Raven Shield 5.32 crack.exe
RealJukebox Basic 2.8.exe
RealOne Free Player 2.8.exe
RemoteSpy 1.5.exe
Sim City 4 crack.exe
Splinter Cell crack.exe
TitJiggle (flash game).exe
Trillian 0.8 + plugins.exe
UniversalFlood (4.8b).exe
Unreal2 (2.8) crack.exe
UT2003 multi-crack (new).exe
Warcraft3 battle.net(2.5) crack.exe
Window Washer 4.8.exe
WinMX 3.5.1.exe
WinRAR 3.8.exe
WinZip 8.3b (crack).exe
WinZip 9.0 SR-1.exe
Wippit 2.1 (beta).exe
WS_FTP LE 6.0.exe
XViD bundle (codec+tutorial).exe


6. Adds the values:

"Dir? 012345:"="%Windir%\sCache32"
"DisableSharing"="0"

NOTE: "?" in these values represents a number that the worm has chosen.

to these registry keys:

HKEY_CURRENT_USER\Software\Kazaa\LocalContent
HKEY_CURRENT_USER\Software\iMesh\Client\LocalContent

so that other KaZaA or iMesh users may download the files from the %Windir%\sCache32 folder.

Backdoor.Sdbot actions
When Backdoor.Sdbot, which is the Backdoor Trojan that the worm dropped, is executed, it does the following:

1. Copies itself as %System%\System32.exe.

2. Creates the value:

"Shell"="Explorer.exe %system%\System32.exe"

in the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

3. Waits for an Internet connection. When the Trojan detects a connection, it connects to a specific IRC server using port 6667, joins a specific channel, and notifies a hacker by sending them a private message.

4. Waits for commands that the hacker transmits using IRC. The commands allow the hacker to perform any of the following actions:
Deliver system and network information to the hacker.
Manage the self installation.
Download and execute files.
Perform Denial of Service (DoS) attacks.
Replicate across file-sharing networks, such as KaZaA and iMesh.

Click for more information about this virus: W32.Kwbot.F.Worm

[Icebound]

funny, i downloaded that winrar3.8.exe file earlier today.
luckily, NAV picked it up killed the download and deleted the worm

[OutCast]

I downloaded some files (which I don't really download a lot on Kazaa Lite nowadays) and Norton always constantly find worms or viruses (and kills it) specially made for Kazaa. This is getting scary.

[ghost944]

Iv Found All of these on my comp last night Because in some other post there was a link to see all o your files on the web or somethin and there were all of these ones in my shared list,PC cillin Never Picked it Up though So Im Getting Ready Now To Deleat Them All Now

[Wolfmight]

NAV'll take it out... I check for updates every week (plus is auto updates normally)

[firefox]

Originally posted by ghost944@1 May 2003 - 05:31
Iv Found All of these on my comp last night Because in some other post there was a link to see all o your files on the web or somethin and there were all of these ones in my shared list,PC cillin Never Picked it Up though So Im Getting Ready Now To Deleat Them All Now

ghost944 it is not enought to just delete these files, becasue on your next reboot they will be there again, you have to update your virus program, I really never liked PC Cillin but that is me, and then do a full scan of your computer to remove the virus. Delete any file with the virus. Then do a restart and rescan just to make sure.

[RedRival]

Bleh my version of some cheap branded antivirus seems to be screwing up on me.
Please recommend some good ones that I can use. Norton, Macafee...nid opinions.

[ricky]

RedRival, i would recommend norton antivirus 2003 and norton firewall 2003... just download it through kazaa...

[firefox]

Norton 2003 seems to do a good job. Also Mcafee is good but i do not like there firewall that is built in, but you can disable it. I like using McAfee version 4.5.1 (corp. edition). But the latest out is 6 I think.

[ghost944]

I have Just Finished Deleteing those files with windows washer with bleach then went and deleated those reg keys that the link told me to delete just rebooted seen this post and checked the file they were in and they are not there so i think i have got rid of them.

Also my Pc Cillin is 2003 and is always up to date for firewalls i use sygate 5.0,Pc Cillins and Armour 2 net cuz it stops pop ups and cleans spyware.

Just checked again and they aint back yet.