W32/Bugbear-D is an internet worm that spreads via file sharing on Kazaa P2P networks. It also spreads by emailing itself to contacts in the Windows address book and to addresses found within files on local and network drives that have extensions of HTM, SHT, PHP, ASP, DBX, TBB, ADB or WAB.

When first run W32/Bugbear-D copies itself to the Windows system folder as taskmon.exe and creates the following registry entry, so that taskmon.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
TaskMon = %SYSTEM%\taskmon.exe

W32/Bugbear-D copies itself to the Kazaa Transfer folder specified by the registry entry

HKCU\Kazaa\Transfer\DlDir0

using a filename randomly selected from the list:

winamp5
icq2004-final
activation_crack
strip-girl-2.0bdcom_patches
rootkitXP
office_crack
nuke2004

with a random extension of EXE, SCR, PIF or BAT.

More information can be found at this Sophos page.