wuxat.exe - an answer

  0006 22:47 13 May 2004
Locked

Recently, I posted a request to ask if anyone knew anything about a file called wuxat.exe. It installed itself in C:\Windows\System 32 and tried to connect to the Internet. I sent it to Sophos for examination, and this is their response:

Avg-pro.exe and wuxat~bat.exe are now detected as W32/Spybot-CA.

W32/Spybot-CA is a peer-to-peer worm and backdoor Trojan that copies itself into the Windows system folder as WUXAT.EXE using a random name and sets the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceConfiguration Default = WUXAT.EXE
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunConfiguration Default = WUXAT.EXE

W32/Spybot-CA creates the folder kazaabackupfiles in the Windows system folder and copies itself there using the following filenames:

AVP_Crack.exe
Battlefield1942_bloodpatch.exe
Unreal2_bloodpatch.exe
avg-pro_crack.exe
divx_codec.exe
gta3_patchfr.exe
keygen.exe
mirc_crack.exe
movie_xxx.exe
norton_crack.exe
paris_hilton_movie_xxx.exe
windows_crack.exe
windows_xp.exe
zone_alarm_crack.exe

The worm also sets the following registry entry to point to this folder:

HKCU\Software\Kazaa\LocalContent
So now we all know. Be careful all, and thanks Sophos!

  Diodorus Siculus 23:03 13 May 2004

Thanks for that; it is interesting to hear it.

  temp003 00:54 14 May 2004

Thanks indeed. First time I've read anything substantial about this file, even though it's been around for some time.

  hugh-265156 01:06 14 May 2004

ta

  byfordr 08:50 14 May 2004

Niceone ^

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Alienware 17 R4 2017 review

Is this the future of VR and AR?

Best iPad buying guide 2017

Comment regarder le Bureau des L├ęgendes en ligne ?