wuxat.exe - an answer

  0006 22:47 13 May 04
Locked

Recently, I posted a request to ask if anyone knew anything about a file called wuxat.exe. It installed itself in C:\Windows\System 32 and tried to connect to the Internet. I sent it to Sophos for examination, and this is their response:

Avg-pro.exe and wuxat~bat.exe are now detected as W32/Spybot-CA.

W32/Spybot-CA is a peer-to-peer worm and backdoor Trojan that copies itself into the Windows system folder as WUXAT.EXE using a random name and sets the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceConfiguration Default = WUXAT.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunConfiguration Default = WUXAT.EXE

W32/Spybot-CA creates the folder kazaabackupfiles in the Windows system folder and copies itself there using the following filenames:

AVP_Crack.exe
Battlefield1942_bloodpatch.exe
Unreal2_bloodpatch.exe
avg-pro_crack.exe
divx_codec.exe
gta3_patchfr.exe
keygen.exe
mirc_crack.exe
movie_xxx.exe
norton_crack.exe
paris_hilton_movie_xxx.exe
windows_crack.exe
windows_xp.exe
zone_alarm_crack.exe

The worm also sets the following registry entry to point to this folder:

HKCU\Software\Kazaa\LocalContent
So now we all know. Be careful all, and thanks Sophos!

  Diodorus Siculus 23:03 13 May 04

Thanks for that; it is interesting to hear it.

  temp003 00:54 14 May 04

Thanks indeed. First time I've read anything substantial about this file, even though it's been around for some time.

  hugh-265156 01:06 14 May 04

ta

  byfordr 08:50 14 May 04

Niceone ^

This thread is now locked and can not be replied to.

Huawei P10 review

1995-2015: How technology has changed the world in 20 years

An overview: What leading creative agencies are doing to improve diversity

New iPad, iPhone SE & Red iPhone 7 on sale now