K0wbot Removal Tool

K0wbot Removal Tool is a handy application that will help you to easily get rid of the K0wbot backdoor virus.

This is another Internet worm that uses the popular file sharing KaZaA network to spread; besides this, it includes an IRC remote control backdoor component. It is written in C and the executable is compressed and crypted; it also uses some protection techniques to make reverse-engineering difficult.

When run, the virus copies itself as explorer32.exe in the Windows System folder and registers this copy to be run at every Windows start-up by creating the registry entries described above.

The virus creates a temporary file c:\moo.reg that is used to set the value of the registry entry [HKCU\Software\Kazaa\LocalContent\DisableSharing] to 0 (in order to enable sharing of KaZaA files).

The virus makes aprox. 150 copies of itself in the KaZaA shared folder, using the names of appealing software/media files.

The backdoor component connects to an IRC (Internet Relay Chat) server and allows remote control of the infected computer (after a password authentification), including the ability to perform the following actions on the "victim" computer:

· updating the virus by downloading a newer version; · reporting information about the infected system (CPU speed, memory, operating system version, uptime, Internet connection type, local IP address etc.); · reporting installed software (by sending the file c:\moo.txt which lists the subfolders of the Program Files folder); · performing different IRC commands, including flooding of other users of the chat server.