W32.Kwbot.B.Worm
Aliases: W32/rbit.worm, backdoor.tankedoor.02, W32.kwbot.b.worm, W32/etern.worm
Variants: W32.Kwbot.Worm, W32.Kwbot.C.Worm, W32.Kwbot.Y.Worm
Classification: Malware
Category: Computer Worm
Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W33
Discovered: 02 Jan 2003
Damage: Medium
Characteristics: The W32.Kwbot.B.Worm attempts to propagate itself using the Kazaa file-sharing network. The worm also has the capabilities of a Backdoor Trojan. It allows a hacker to gain control of the infected computer and steal sensitive information. The worm is written in Microsoft Visual C++ packed with UPX.
W32.Kwbot.B.Worm Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
RECOMMENDED:
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean W32.Kwbot.B.Worm from your computer.
More details about W32.Kwbot.B.Worm
W32.Kwbot.B.Worm spreads using the Kazaa file-sharing network. When the worm is executed, it copies itself as MSIstall61.exe. To make sure it runs every time Windows starts, it adds values to the registry. It then opens a randomly chosen TCP/UDP port to connect to the hacker. The worm spreads to other computers using the default Kazaa shared folder. It uses a list of random names to attract victims. Examples of the filenames it uses include HortGirls.exe, Pamela_anderson.scr, etc. The worm contains its own IRC client coded into the Trojan. The Trojan listens for commands from the hacker from the IRC channel. The commands allow the hacker to manage the installation of the backdoor, control the IRC client on the infected computer, update the installed Trojan, and send the Trojan to other IRC channels in order to spread.
The hacker can also download and execute files, deliver system and network information, perform Denial of Service attacks against a target, and completely uninstall the Trojan by removing relevant registry entries in the infected computer. Reports from the field claim that this program consists of software programmed for some hostile, malicious, or harmful purposes. The program can be used by a hacker to compromise and put at risk the user’s computer as well as entire network. Allegedly, the W32.Kwbot.B.Worm program can be utilized as a tool to monitor the Internet activities of the user. It is also reported that it can allow the intruder to capture sensitive and confidential information.