W32/Spybot-BZ attempts to copy itself to CRCSSV.EXE in the Windows system folder. It creates entries in the registry at the following locations to run itself on system restart:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
W32/Spybot-BZ copies itself to a folder called BACKUPS in the Windows system folder with the following filenames:
GTA3_cive.city_crack.exe
All-windows-crack.exe
Enter_The_Matrix_crack.exe
Matrix_Reloaded_downloader.exe
W32/Spybot-BZ then sets the following registry entry to enable sharing of these files with KaZaA:
HKCU\SOFTWARE\KAZAA\LocalContent\Dir0
More information is at Sophos page.
6/7: Spybot-BZ Copies Itself to Folder
