Backdoor.K0wbot.1.2 / 1.3.A / 1.3.B

19 KB


  • the file explorer32.exe in the Windows System folder;

  • the Windows Explorer Update Build 1142 registry entries with a value of explorer32 can be found in the following registry keys:


  • a lot of copies of the virus (with different names, but all aprox. 19 KB in size) in the KaZaA shared folder, usually C:\\Program Files\\KaZaA\\My Shared Folder.
  • Consignes de suppression :

    The BitDefender Virus Analyse Team has releasead a free removal tool for this particular virus.

    Important: You will have to close all applications before running the tool (including the antivirus shields) and to restart the computer afterwards. Additionally you\'ll have to manually delete the infected files located in archives and the infected messages from your mail client.

    The BitDefender AntiKowBot.exe tool does the following:
  • it detects all known versions of K0wbot (1.2, 1.3A, 1.3B);

  • it deletes the files infected with K0wbot;

  • it kills the process from memory;

  • it repairs the Windows registry.

  • You may also need to restore the affected files.

    Analysé par

    Bogdan Dragu
    BitDefender Virus Researcher

    Description technique

    This is another Internet worm that uses the popular file sharing KaZaA network to spread; besides this, it includes an IRC remote control backdoor component. It is written in C and the executable is compressed and crypted; it also uses some protection techniques to make reverse-engineering difficult.

    When run, the virus copies itself as explorer32.exe in the Windows System folder and registers this copy to be run at every Windows start-up by creating the registry entries described above.

    The virus creates a temporary file c:\\moo.reg that is used to set the value of the registry entry


    to 0 (in order to enable sharing of KaZaA files).

    The virus makes aprox. 150 copies of itself in the KaZaA shared folder, using the names of appealing software/media files:

    The backdoor component connects to an IRC (Internet Relay Chat) server and allows remote control of the infected computer (after a password authentification), including the ability to perform the following actions on the \"victim\" computer:

  • updating the virus by downloading a newer version;

  • reporting information about the infected system (CPU speed, memory, operating system version, uptime, Internet connection type, local IP address etc.);

  • reporting installed software (by sending the file c:\\moo.txt which lists the subfolders of the Program Files folder);

  • performing different IRC commands, including flooding of other users of the chat server.