Details
Worm.P2P.Duload.b
Worm.P2P.Duload represents a family of worms that replicate by copying themselves into a Kazaa network shared folder located on victim machines.
The worm itself is a Windows application (PE EXE file) written in Visual Basic, 7680 bytes in size (packed with UPX).
Installation
The worm copies itself to the Windows System directory under the name SystemConfig.exe and modifies the system registry so that this file automatically loads upon start-up.
This is done by writing the following registry values:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Windows System Configure”=”[System Directory path]\SystemConfig.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“Windows System Configure”=”[System Directory path]\SystemConfig.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
“Windows System Configure”=”[System Directory path]\SystemConfig.exe”
Replication
The Duload worm creates a directory in the Windows System directory named “Media” and then copies itself to this directory under the following names:
Alicia Silverstone Payboy Nude.exe
Bingo.exe
Britney Spears Dance Beat.exe
DDos Client.exe
Email Bomber.exe
FileServer.exe
Flash Golf.exe
Free Mpegs.exe
Free Pics.exe
Free Porn.exe
Hoes For You Solitare.exe
Hotmail Hacker.exe
Irc Client.exe
J.Lo Bikini Screensaver.exe
Jenna Jamison Dildo Humping.exe
Kama Sutra Tetris.exe
Kazaa Clone.exe
Mirc 7.0.exe
Napster Clone.exe
Pamela Anderson And Tommy Lee Home Video.exe
Play Games Online For FREE.exe
Ps2 Emulator.exe
Ps2 Iso 2 Rom Converter.exe
Shakira Dancing.exe
Soldier Of Fortune 2 Mutiplayer Serial Hack.exe
System Monitor.exe
The Sims Game Crack.exe
Universal Game Crack.exe
Warcraft 3 Battle.net Crack.exe
Website Hacker.exe
Win A Ps2.exe
Win An Xbox.exe
Winace.exe
Windows Hacker.exe
Winmx.exe
Winrar.exe
Winzip.exe
Working Iso Burner.exe
Xbox Emulator.exe
Xbox Iso 2 Rom Converter.exe
Then the worm writes several registry values in the [HKEY_CURRENT_USER\Software\Kazaa] registry key, so that the Media directory becomes available as a Kazaa shared directory.
Related Posts
Worm.P2P.DuloadWorm.Win32.VB.aI-Worm.NetSkyI-Worm.FunnMSN-Worm.Jitu
This entry was posted
on Tuesday, August 19th, 2008 at 7:50 pm and is filed under Virus Threats.
Details
Worm.P2P.Duload.a
Worm.P2P.Duload represents a family of worms that replicate by copying themselves into a Kazaa network shared folder located on victim machines.
The worm itself is a Windows application (PE EXE file) written in Visual Basic, 18432 bytes in size.
Installation
The worm copies itself to the Windows System directory under the name SystemConfig.exe and modifies the system registry so that this file automatically loads upon start-up.
This is done by writing the following registry values:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Windows System Configure”=”[System Directory path]\SystemConfig.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“Windows System Configure”=”[System Directory path]\SystemConfig.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
“Windows System Configure”=”[System Directory path]\SystemConfig.exe”
Replication
The Duload worm creates a directory in the Windows System directory named “Media” and then copies itself to this directory under the following names:
Alicia Silverstone Payboy Nude.exe
Bingo.exe
Britney Spears Dance Beat.exe
DDos Client.exe
Email Bomber.exe
FileServer.exe
Flash Golf.exe
Free Mpegs.exe
Free Pics.exe
Free Porn.exe
Hoes For You Solitare.exe
Hotmail Hacker.exe
Irc Client.exe
J.Lo Bikini Screensaver.exe
Jenna Jamison Dildo Humping.exe
Kama Sutra Tetris.exe
Kazaa Clone.exe
Mirc 7.0.exe
Napster Clone.exe
Pamela Anderson And Tommy Lee Home Video.exe
Play Games Online For FREE.exe
Ps2 Emulator.exe
Ps2 Iso 2 Rom Converter.exe
Shakira Dancing.exe
Soldier Of Fortune 2 Mutiplayer Serial Hack.exe
System Monitor.exe
The Sims Game Crack.exe
Universal Game Crack.exe
Warcraft 3 Battle.net Crack.exe
Website Hacker.exe
Win A Ps2.exe
Win An Xbox.exe
Winace.exe
Windows Hacker.exe
Winmx.exe
Winrar.exe
Winzip.exe
Working Iso Burner.exe
Xbox Emulator.exe
Xbox Iso 2 Rom Converter.exe
Then the worm writes several registry values in the [HKEY_CURRENT_USER\Software\Kazaa] registry key, so that the Media directory becomes available as a Kazaa shared directory.
Other
The Worm.P2P.Duload.a variant also acts as a TrojanDownloader: it downloads a malware program from the “http://thisistrash.0catch.com/” site, saves it to “c:\Uninstall.exe” and executes it.
Related Posts
Worm.P2P.DuloadWorm.Win32.VB.aI-Worm.NetSkyI-Worm.FunnMSN-Worm.Jitu
This entry was posted
on Tuesday, August 19th, 2008 at 3:50 pm and is filed under Virus Threats.