Win32/Kwbot.1_3 [Threat Name] go to Threat

Win32/Kwbot.1_3 [Threat Variant Name]

Category	trojan,worm
Size	19600 B
Aliases	Net-Worm.Win32.SdBoter.a (Kaspersky)
	Win32/Kwbot (Microsoft)
	W32.Kwbot.Worm (Symantec)
	Win32:KWBot (Avast)

Short description

Win32/Kwbot.1_3 is a worm that spreads via P2P networks. The worm contains a backdoor. It can be controlled remotely. The file is run-time compressed using FSG .

Installation

When executed, the worm creates the following files:

%system%\explorer32.exe (19600 B)

In order to be executed on every system start, the worm sets the following Registry entries:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "Windows Explorer Update Build 1142" = "explorer32.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
- "Windows Explorer Update Build 1142" = "explorer32.exe"

Spreading via P2P networks

Win32/Kwbot.1_3 is a worm that spreads via P2P networks.

The worm searches for shared folders of the following programs:

Kazaa

It tries to place a copy of itself into the folders.

Its filename is one of the following:

100 hot hardcore preteen wallpapers (xxx pussy lesbian slut cunt fuck anal).exe
100 hot lesbian wallpapers (xxx pussy lesbian slut cunt fuck).exe
100 xxx passwords (verified 3-24-02).exe
1001 mixed drinks.exe
2000 playboy centerfold wallpapers (xxx pussy lesbian slut cunt fuck).exe
2001 playboy centerfold wallpapers (xxx pussy lesbian slut cunt fuck).exe
2002 playboy centerfold wallpapers (xxx pussy lesbian slut cunt fuck).exe
a+ certification ultimate study guide.exe
acdsee 4.1 cracked.exe
adobe photoshop.exe
adobe photoshop 6 ultimate study guide.exe
adult check password cracker (xxx pussy lesbian slut cunt fuck anal incest).exe
aim hacker.exe
all cliff notes (cliff's).exe
ansi c ultimate study guide.exe
aol hacker.exe
babylonx backdoor.exe
babylonx password cracker.exe
bandwidth booster 4.2 for cable,dsl.exe
blackice defender.exe
borland c++ builder 8.0 iso.exe
britney spears nude wallpaper (xxx pussy lesbian slut cunt fuck).exe
brutal forced preteen anal sex (xxx fuck anal lesbian cum scat bukkake hentai).exe
c++ ultimate study guide.exe
cable modem anonymizer.exe
cable uncapper.exe
christina aguilera nude wallpaper (xxx pussy lesbian slut cunt fuck).exe
clonecd.exe
clonecd crack (all versions) core.exe
clonecd keygen.exe
college biology ultimate study guide.exe
college chemistry ultimate study guide.exe
college computer engineering ultimate study guide.exe
college computer science ultimate study guide.exe
college english ultimate study guide.exe
college ethics ultimate study guide.exe
college history ultimate study guide.exe
college philosophy ultimate study guide.exe
command and conquer cnc c&c renegade iso.exe
conceal pc firewall.exe
copy (11) of zonealarm firewall pro.exe
copy of zonealarm firewall pro.exe
cows gone wild.exe
credit card number generator verifier (cc cc#).exe
dark planet battle for natrolis cracked.exe
delphi ultimate study guide.exe
divx codec 4.0 (codec only).exe
divx codec 5.0 (codec only).exe
divx codec 6.0 beta (codec only).exe
dos attacker.exe
dreamcast emulator.exe
dsl anonymizer.exe
dsl uncapper.exe
easy cd creator crack (all versions) (core).exe
end of twilight iso.exe
espn nfl primetime 2002 iso.exe
gamecube emulator.exe
ghost recon.exe
ghost recon - desert siege.exe
grand theft auto 3 cd1 iso.exe
grand theft auto 3 cd2 iso.exe
hacker utils 2002.exe
hacking tools 2002.exe
hentai - bondage pic series (142 pics) (xxx fuck anal lesbian cum scat bukkake hentai).exe
hentai - bondage pic series (142 pics) (xxx fuck anal lesbian cum scat hentai).exe
hentai - mystery of the necromonicon (divx) (xxx fuck anal lesbian cum scat bukkake hentai).exe
hentai - mystery of the necromonicon (divx) (xxx fuck anal lesbian cum scat hentai).exe
hooligans iso.exe
horny lesbian fucks horse! (xxx fuck anal lesbian cum scat bukkake hentai).exe
icq aim password stealer.exe
icq hack.exe
incoming forces iso.exe
irc hacker.exe
japanese scat video (sick) (xxx fuck anal lesbian cum scat bukkake hentai).exe
kama sutra.exe
kazaa advertisement ad remover.exe
lesbian horse fuckers.exe
macromedia flash 5.exe
macromedia flash 5 ultimate study guide.exe
max payne full iso.exe
max payne multiplayer addon.exe
mcse ultimate study guide.exe
microsoft office xp upgrade (from older versions).exe
microsoft visual c++ 7.0 iso.exe
mirc backdoor hack.exe
monsterville cracked.exe
nero 5.5 crack.exe
nero burning rom 5.5 crack.exe
nero burning rom 5.5 cracked.exe
norton antivirus 2002.exe
norton internet security 2002.exe
norton systemworks 2002.exe
norton utilities 2002.exe
notron utilities 2002.exe
oni 2nd second edition.exe
perl ultimate study guide.exe
php4 ultimate study guide.exe
playboy nude wallpaper (xxx pussy lesbian slut cunt fuck).exe
playstation 2 ps2 emulator.exe
preteen bondage pics (xxx pussy lesbian slut cunt fuck).exe
preteen girl fucks and sucks her dad (xxx pussy lesbian slut cunt fuck).exe
preteen girl gangbang (xxx fuck anal lesbian cum scat bukkake hentai).exe
preteen girl rape collection (xxx pussy lesbian slut cunt fuck).exe
preteen nude pics (xxx pussy lesbian slut cunt fuck).exe
quake 3 cracked (works on all servers).exe
quake 4 leaked beta (cracked).exe
quicken pro 2002 iso.exe
ray crisis iso.exe
return to castle wolfenstein iso.exe
return to castle wolfenstein rtcw crack (play on any server with fake serial!).exe
return to castle wolfenstein rtcw cracked server patch (play on any server with a fake serial!).exe
soldier of fortune 2 cd1 iso.exe
soldier of fortune 2 cd2 iso.exe
sound forge xp studio + serial.exe
space empires iv 4 gold iso.exe
spiderman svcd cd1.exe
spiderman svcd cd2.exe
spiderman svcd cd3.exe
spiderman the movie - the game.exe
star trek bridge commander iso.exe
star trek klingon academy iso.exe
star wars episode 2 - attack of the clones vcd cd1.exe
star wars episode 2 - attack of the clones vcd cd2.exe
star wars jedi knight ii 2.exe
sum of all fears svcd cd1.exe
sum of all fears svcd cd2.exe
sum of all fears svcd cd3.exe
the secret of the nautilus iso.exe
turbotax professional 2002 iso.exe
uncapper for edu connections.exe
university study guide (cheat sheet).exe
unreal 3 beta cracked.exe
unreal tournament cracked (works on all servers).exe
warcraft 3 beta.exe
warcraft 3 crack.exe
warcraft 3 keygen.exe
warez locator (finds and verifies).exe
warrior kings iso.exe
winace with crack.exe
winamp 3.0 beta.exe
windows 2000 win2k backdoor hack.exe
windows 2000 win2k password stealer.exe
windows 98 hacker.exe
windows xp backdoor hack.exe
windows xp home to professional upgrade.exe
windows xp professional iso.exe
windows xp remote password cracker.exe
windows xp server iso.exe
winmx backdoor hack.exe
winrar with crack.exe
winzip key generator (c0re).exe
xxx password cracker (xxx pussy lesbian slut cunt fuck).exe
xxx tetris (xxx pussy lesbian slut cunt fuck).exe
zonealarm firewall pro.exe

The worm may set the following Registry entries:

[HKEY_CURRENT_USER\Software\Kazaa\LocalContent]
- "DisableSharing" = 0

Other information

The worm acquires data and commands from a remote computer or the Internet. It can be controlled remotely.

The worm connects to the following addresses:

m00c0w.organiccrap.com

The IRC protocol is used.

It can execute the following operations:

perform DoS/DDoS attacks
download files from a remote computer and/or the Internet
run executable files
spread via shared folders and P2P networks
perform port scanning
stop itself for a certain time period
redirect network traffic
collect information about the operating system used
remove itself from the infected computer
update itself to a newer version

The worm collects the following information:

computer name
user name
network adapter information
operating system version

The worm can send the information to a remote machine.