Details
Worm.P2P.Harex.c

This is a peer-to-peer worm, also known as Exebat. The worm file is about 2 KB in size, packed with FSG. The unpacked file is 17 KB in size.
Installation
During installation the worm creates a folder named “sys32″ in the Windows system folder and copies itself to this folder under one of the following filenames:
All Adobe Products Keygen.exe
All Macromedia Products Keygen.exe
All Microsoft Products Keygen.exe
BurnDvds.exe
Divx Pro 5.1 Serial.exe
Dvd Plus Crack.exe
Dvd Ripper.exe
Dvd To Vcd.exe
Dvd Wizard Pro Crack.exe
Dvd Xcopy Crack.exe
DvdCopyOne Crack.exe
DvdToVcd Crack.exe
Easy Dvd creator Crack.exe
Easy Dvd Ripper.exe
EZ Dvd Ripper.exe
Nero Burning Rom Crack.exe
Nimo Codec Pack Updater.exe
Xvid Codec Installer.exe
This folder is then registered in the Windows system registry as Local Content for Kazaa and iMesh file sharing systems:
[HKCU\Software\Kazaa\LocalContent]
[HKCU\Software\Kazaa\Transfer]
“dir0″=”012345:%Windir%\system\sys32″

[HKCU\Software\iMesh\Client\LocalContent]
“dir0″=”012345:%Windir%\system\sys32″
Other details
As two previous Harex variants did, this worm downloads a file from the server cnet.0catch.com, saves it in the root folder of drive C: as autoexec.bat.Exe and executes it.

Related Posts

This entry was posted on Wednesday, August 20th, 2008 at 11:50 am and is filed under Virus Threats.

Details
Worm.P2P.Harex.b
Harex.b (aka Genky) is about 4KB when compressed by FSG. The virus file is 33KB when uncompressed.
Installing
When installing, the worm creates a sub directory called ‘windows’ within the Windows directory and writes itself to this sub directory under the following names:
Ipswich Town Official Management Game – Update.exe
Ipswich Town Official Management Game – CD Crack.exe
Ipswich Town Official Management Game – Update Crack.exe
Ipswich Town Official Management Game – Cd Key Changer.exe
Ipswich Town Official Management Game – CD Key Generator.exe
Ipswich Town Official Management Game – CD Keygen.exe
Ipswich Town Official Management Game – Keygen.exe
Ipswich Town Official Management Game – NoCd.exe
Bridge Baron 13 – Update.exe
Bridge Baron 13 – CD Crack.exe
Bridge Baron 13 – Update Crack.exe
Bridge Baron 13 – Cd Key Changer.exe
Bridge Baron 13 – CD Key Generator.exe
Bridge Baron 13 – CD Keygen.exe
Bridge Baron 13 – Keygen.exe
Bridge Baron 13 – NoCd.exe
American Conquest – Update.exe
American Conquest – CD Crack.exe
American Conquest – Update Crack.exe
American Conquest – Cd Key Changer.exe
American Conquest – CD Key Generator.exe
American Conquest – CD Keygen.exe
American Conquest – Keygen.exe
American Conquest – NoCd.exe
Grom – Update.exe
Grom – CD Crack.exe
Grom – Update Crack.exe
Grom – Cd Key Changer.exe
Grom – CD Key Generator.exe
Grom – CD Keygen.exe
Grom – Keygen.exe
Grom – NoCd.exe
Alex Ferguson’s Player Manager 2003 – Update.exe
Alex Ferguson’s Player Manager 2003 – CD Crack.exe
Alex Ferguson’s Player Manager 2003 – Update Crack.exe
Alex Ferguson’s Player Manager 2003 – Cd Key Changer.exe
Alex Ferguson’s Player Manager 2003 – CD Key Generator.exe
Alex Ferguson’s Player Manager 2003 – CD Keygen.exe
Alex Ferguson’s Player Manager 2003 – Keygen.exe
Alex Ferguson’s Player Manager 2003 – NoCd.exe
Command and Conquer Generals – Update.exe
Command and Conquer Generals – CD Crack.exe
Command and Conquer Generals – Update Crack.exe
Command and Conquer Generals – Cd Key Changer.exe
Command and Conquer Generals – CD Key Generator.exe
Command and Conquer Generals – CD Keygen.exe
Command and Conquer Generals – Keygen.exe
Command and Conquer Generals – NoCd.exe
Nascar Racing 2003 Season – Update.exe
Nascar Racing 2003 Season – CD Crack.exe
Nascar Racing 2003 Season – Update Crack.exe
Nascar Racing 2003 Season – Cd Key Changer.exe
Nascar Racing 2003 Season – CD Key Generator.exe
Nascar Racing 2003 Season – CD Keygen.exe
Nascar Racing 2003 Season – Keygen.exe
Nascar Racing 2003 Season – NoCd.exe
Eonix Realm Of Hepmia – Update.exe
Eonix Realm Of Hepmia – CD Crack.exe
Eonix Realm Of Hepmia – Update Crack.exe
Eonix Realm Of Hepmia – Cd Key Changer.exe
Eonix Realm Of Hepmia – CD Key Generator.exe
Eonix Realm Of Hepmia – CD Keygen.exe
Eonix Realm Of Hepmia – Keygen.exe
Eonix Realm Of Hepmia – NoCd.exe
I Was An Atomic Mutant – Update.exe
I Was An Atomic Mutant – CD Crack.exe
I Was An Atomic Mutant – Update Crack.exe
I Was An Atomic Mutant – Cd Key Changer.exe
I Was An Atomic Mutant – CD Key Generator.exe
I Was An Atomic Mutant – CD Keygen.exe
I Was An Atomic Mutant – Keygen.exe
I Was An Atomic Mutant – NoCd.exe
Fetish Fighters – Update.exe
Fetish Fighters – CD Crack.exe
Fetish Fighters – Update Crack.exe
Fetish Fighters – Cd Key Changer.exe
Fetish Fighters – CD Key Generator.exe
Fetish Fighters – CD Keygen.exe
Fetish Fighters – Keygen.exe
Fetish Fighters – NoCd.exe
Battlefield 1942 The Road to Rome – Update.exe
Battlefield 1942 The Road to Rome – CD Crack.exe
Battlefield 1942 The Road to Rome – Update Crack.exe
Battlefield 1942 The Road to Rome – Cd Key Changer.exe
Battlefield 1942 The Road to Rome – CD Key Generator.exe
Battlefield 1942 The Road to Rome – CD Keygen.exe
Battlefield 1942 The Road to Rome – Keygen.exe
Battlefield 1942 The Road to Rome – NoCd.exe
The Campaigns of La Grande Armee – Update.exe
The Campaigns of La Grande Armee – CD Crack.exe
The Campaigns of La Grande Armee – Update Crack.exe
The Campaigns of La Grande Armee – Cd Key Changer.exe
The Campaigns of La Grande Armee – CD Key Generator.exe
The Campaigns of La Grande Armee – CD Keygen.exe
The Campaigns of La Grande Armee – Keygen.exe
The Campaigns of La Grande Armee – NoCd.exe
Unreal II The Awakening – Update.exe
Unreal II The Awakening – CD Crack.exe
Unreal II The Awakening – Update Crack.exe
Unreal II The Awakening – Cd Key Changer.exe
Unreal II The Awakening – CD Key Generator.exe
Unreal II The Awakening – CD Keygen.exe
Unreal II The Awakening – Keygen.exe
Unreal II The Awakening – NoCd.exe
The Emperors Mahjong – Update.exe
The Emperors Mahjong – CD Crack.exe
The Emperors Mahjong – Update Crack.exe
The Emperors Mahjong – Cd Key Changer.exe
The Emperors Mahjong – CD Key Generator.exe
The Emperors Mahjong – CD Keygen.exe
The Emperors Mahjong – Keygen.exe
The Emperors Mahjong – NoCd.exe
Sim City 4 – Update.exe
Sim City 4 – CD Crack.exe
Sim City 4 – Update Crack.exe
Sim City 4 – Cd Key Changer.exe
Sim City 4 – CD Key Generator.exe
Sim City 4 – CD Keygen.exe
Sim City 4 – Keygen.exe
Sim City 4 – NoCd.exe
Private Nurse – Update.exe
Private Nurse – CD Crack.exe
Private Nurse – Update Crack.exe
Private Nurse – Cd Key Changer.exe
Private Nurse – CD Key Generator.exe
Private Nurse – CD Keygen.exe
Private Nurse – Keygen.exe
Private Nurse – NoCd.exe
Impossible Creatures – Update.exe
Impossible Creatures – CD Crack.exe
Impossible Creatures – Update Crack.exe
Impossible Creatures – Cd Key Changer.exe
Impossible Creatures – CD Key Generator.exe
Impossible Creatures – CD Keygen.exe
Impossible Creatures – Keygen.exe
Impossible Creatures – NoCd.exe
Slot City 3 – Update.exe
Slot City 3 – CD Crack.exe
Slot City 3 – Update Crack.exe
Slot City 3 – Cd Key Changer.exe
Slot City 3 – CD Key Generator.exe
Slot City 3 – CD Keygen.exe
Slot City 3 – Keygen.exe
Slot City 3 – NoCd.exe
Test Drive – Update.exe
Test Drive – CD Crack.exe
Test Drive – Update Crack.exe
Test Drive – Cd Key Changer.exe
Test Drive – CD Key Generator.exe
Test Drive – CD Keygen.exe
Test Drive – Keygen.exe
Test Drive – NoCd.exe
Shadow of Memories – Update.exe
Shadow of Memories – CD Crack.exe
Shadow of Memories – Update Crack.exe
Shadow of Memories – Cd Key Changer.exe
Shadow of Memories – CD Key Generator.exe
Shadow of Memories – CD Keygen.exe
Shadow of Memories – Keygen.exe
Shadow of Memories – NoCd.exe
World Of Outlaws Sprint Car Racing 2002 – Update.exe
World Of Outlaws Sprint Car Racing 2002 – CD Crack.exe
World Of Outlaws Sprint Car Racing 2002 – Update Crack.exe
World Of Outlaws Sprint Car Racing 2002 – Cd Key Changer.exe
World Of Outlaws Sprint Car Racing 2002 – CD Key Generator.exe
World Of Outlaws Sprint Car Racing 2002 – CD Keygen.exe
World Of Outlaws Sprint Car Racing 2002 – Keygen.exe
World Of Outlaws Sprint Car Racing 2002 – NoCd.exe
Tombstone 1882 – Update.exe
Tombstone 1882 – CD Crack.exe
Tombstone 1882 – Update Crack.exe
Tombstone 1882 – Cd Key Changer.exe
Tombstone 1882 – CD Key Generator.exe
Tombstone 1882 – CD Keygen.exe
Tombstone 1882 – Keygen.exe
Tombstone 1882 – NoCd.exe
Las Vegas Casino Player’s Collection – Update.exe
Las Vegas Casino Player’s Collection – CD Crack.exe
Las Vegas Casino Player’s Collection – Update Crack.exe
Las Vegas Casino Player’s Collection – Cd Key Changer.exe
Las Vegas Casino Player’s Collection – CD Key Generator.exe
Las Vegas Casino Player’s Collection – CD Keygen.exe
Las Vegas Casino Player’s Collection – Keygen.exe
Las Vegas Casino Player’s Collection – NoCd.exe
Airport Tycoon II – Update.exe
Airport Tycoon II – CD Crack.exe
Airport Tycoon II – Update Crack.exe
Airport Tycoon II – Cd Key Changer.exe
Airport Tycoon II – CD Key Generator.exe
Airport Tycoon II – CD Keygen.exe
Airport Tycoon II – Keygen.exe
Airport Tycoon II – NoCd.exe
Filbert Fledgling – Update.exe
Filbert Fledgling – CD Crack.exe
Filbert Fledgling – Update Crack.exe
Filbert Fledgling – Cd Key Changer.exe
Filbert Fledgling – CD Key Generator.exe
Filbert Fledgling – CD Keygen.exe
Filbert Fledgling – Keygen.exe
Filbert Fledgling – NoCd.exe
Apache AH-64 Air Assault – Update.exe
Apache AH-64 Air Assault – CD Crack.exe
Apache AH-64 Air Assault – Update Crack.exe
Apache AH-64 Air Assault – Cd Key Changer.exe
Apache AH-64 Air Assault – CD Key Generator.exe
Apache AH-64 Air Assault – CD Keygen.exe
Apache AH-64 Air Assault – Keygen.exe
Apache AH-64 Air Assault – NoCd.exe
A+ Certification Test.exe
Cisco Certification Test.exe
MSCE Certification Test.exe
Unix Certification Test.exe
Windows Nt Certification Test.exe
Serious Sam – Gold Edition – Update.exe
Serious Sam – Gold Edition – CD Crack.exe
Serious Sam – Gold Edition – Update Crack.exe
Serious Sam – Gold Edition – Cd Key Changer.exe
Serious Sam – Gold Edition – CD Key Generator.exe
Serious Sam – Gold Edition – CD Keygen.exe
Serious Sam – Gold Edition – Keygen.exe
Serious Sam – Gold Edition – NoCd.exe
Global Power – Update.exe
Global Power – CD Crack.exe
Global Power – Update Crack.exe
Global Power – Cd Key Changer.exe
Global Power – CD Key Generator.exe
Global Power – CD Keygen.exe
Global Power – Keygen.exe
Global Power – NoCd.exe
IGI-2 Covert Strike – Update.exe
IGI-2 Covert Strike – CD Crack.exe
IGI-2 Covert Strike – Update Crack.exe
IGI-2 Covert Strike – Cd Key Changer.exe
IGI-2 Covert Strike – CD Key Generator.exe
IGI-2 Covert Strike – CD Keygen.exe
IGI-2 Covert Strike – Keygen.exe
IGI-2 Covert Strike – NoCd.exe
Tom Clancy’s Splinter Cell – Update.exe
Tom Clancy’s Splinter Cell – CD Crack.exe
Tom Clancy’s Splinter Cell – Update Crack.exe
Tom Clancy’s Splinter Cell – Cd Key Changer.exe
Tom Clancy’s Splinter Cell – CD Key Generator.exe
Tom Clancy’s Splinter Cell – CD Keygen.exe
Tom Clancy’s Splinter Cell – Keygen.exe
Tom Clancy’s Splinter Cell – NoCd.exe
Robot Arena Design And Destroy – Update.exe
Robot Arena Design And Destroy – CD Crack.exe
Robot Arena Design And Destroy – Update Crack.exe
Robot Arena Design And Destroy – Cd Key Changer.exe
Robot Arena Design And Destroy – CD Key Generator.exe
Robot Arena Design And Destroy – CD Keygen.exe
Robot Arena Design And Destroy – Keygen.exe
Robot Arena Design And Destroy – NoCd.exe
Freelancer – Update.exe
Freelancer – CD Crack.exe
Freelancer – Update Crack.exe
Freelancer – Cd Key Changer.exe
Freelancer – CD Key Generator.exe
Freelancer – CD Keygen.exe
Freelancer – Keygen.exe
Freelancer – NoCd.exe

The sub directory created by the worm is recorded in the Windows Registry as local content system files for Kazaa and iMesh:
HKCU\Software\Kazaa\LocalContent
HKCU\Software\Kazaa\Transfer
dir0 = 012345:%Windir%\system\windows

HKCU\Software\iMesh\Client\LocalContent
dir0 = 012345:%Windir%\system\windows

As a result of these entries, the files become available for download by other P2P network users.
Other
Version ‘A’ of the virus is downloaded and launched from the server ‘cnets.0catch.com’. The virus is contained in a file called ‘Kernell116.dll.exe’, which resides in a root level directory on the C: drive.

Related Posts

This entry was posted on Wednesday, August 20th, 2008 at 7:50 am and is filed under Virus Threats.

Details
Worm.P2P.Harex.a
Harex.a is an Internet worm that spreads via the peer to peer file sharing networks – Kazaa and iMesh. The worm is a Windows PE EXE file, approx. 15KB is size when compressed with PE Patch, Telock, PECompact.
Installation
When installing the Harex.a worm creates a sub catalog in the Windows directory called ‘os32′ and writes itself to this sub directory using the following names:

Website Hacker.exe
Html Hacker.exe
Blowfish Decrypter.exe
Upx Unpacker.exe
Upx Unscrambler.exe
Upx Decrypter.exe
Upx Encrypter.exe
PeCompact Unpacker.exe
32lite Unpacker.exe
624 Unpacker.exe
aPack Unpacker.exe
aplib Unpacker.exe
avpack Unpacker.exe
axe Unpacker.exe
diet Unpacker.exe
epack Unpacker.exe
lglz Unpacker.exe
lzexe Unpacker.exe
megalite Unpacker.exe
pack Unpacker.exe
pklite Unpacker.exe
pk smart Unpacker.exe
pmode Unpacker.exe
pro-pack Unpacker.exe
rjcrush Unpacker.exe
rucc Unpacker.exe
syspack Unpacker.exe
vacuum Unpacker.exe
wwpack Unpacker.exe
XE Unpacker.exe
Xpack Unpacker.exe
Aspack Unpacker.exe
cExe Unpacker.exe
pc shrinker Unpacker.exe
Fsg Unpacker.exe
Neolite Unpacker.exe
Pe Diminisher Unpacker.exe
Petite Unpacker.exe
Gpx Unpacker.exe
Gupx Unpacker.exe
WWPack32 Unpacker.exe
Hotmail hacker.exe
aim hacker.exe
msn hacker.exe
mirc hacker.exe
irc hacker.exe
pirch hacker.exe
outlook express hacker.exe
outlook hacker.exe
email hacker.exe
pop hacker.exe
smtp hacker.exe
ssh hacker.exe
telnet hacker.exe
windows hacker.exe
dos hacker.exe
linux hacker.exe
unix hacker.exe
mac hacker.exe
network hacker.exe
nmapnt32.exe
nmap.exe
win32 hacker.exe
win16 hacker.exe
hacker.exe
Borland c++ Crack.exe
Microsoft C Crack.exe
Microsoft C++ Crack.exe
Microsoft Crack.exe
Macromedia Crack.exe
Windows Crack.exe
Xp Crack.exe
2k Crack.exe
98 Crack.exe
Encryption Crack.exe
Fbi hack.exe
Cia Hack.exe
Whitehouse Camera.exe
The Sims Superstar cheats.exe
Wild Rides Water Park Factory cheats.exe
Next Generation Tennis 2003 cheats.exe
Finding Nemo cheats.exe
Naval Campaigns Guadalcanal cheats.exe
Squad Battles Advance of the Reich cheats.exe
Enter the Matrix cheats.exe
Rise of Nations cheats.exe
Grand Theft Auto Vice City cheats.exe
Magnetic cheats.exe
Big Mutha Truckers cheats.exe
Robocop cheats.exe
Bloodrayne cheats.exe
The Sims Superstar crack.exe
Wild Rides Water Park Factory crack.exe
Next Generation Tennis 2003 crack.exe
Finding Nemo crack.exe
Naval Campaigns Guadalcanal crack.exe
Squad Battles Advance of the Reich crack.exe
Enter the Matrix crack.exe
Rise of Nations crack.exe
Grand Theft Auto Vice City crack.exe
Magnetic crack.exe
Big Mutha Truckers crack.exe
Robocop crack.exe
Bloodrayne crack.exe
The Sims Superstar update.exe
Wild Rides Water Park Factory update.exe
Next Generation Tennis 2003 update.exe
Finding Nemo update.exe
Naval Campaigns Guadalcanal update.exe
Squad Battles Advance of the Reich cheats.exe
Enter the Matrix cheats.exe
Rise of Nations cheats.exe
Grand Theft Auto Vice City cheats.exe
Magnetic cheats.exe
Big Mutha Truckers cheats.exe
Robocop cheats.exe
Bloodrayne cheats.exe
The Sims Superstar crack.exe
Wild Rides Water Park Factory crack.exe
Next Generation Tennis 2003 crack.exe
Finding Nemo crack.exe
Naval Campaigns Guadalcanal crack.exe
Squad Battles Advance of the Reich crack.exe
Enter the Matrix crack.exe
Rise of Nations crack.exe
Grand Theft Auto Vice City crack.exe
Magnetic crack.exe
Big Mutha Truckers crack.exe
Robocop crack.exe
Bloodrayne crack.exe
The Sims Superstar update.exe
Wild Rides Water Park Factory update.exe
Next Generation Tennis 2003 update.exe
Finding Nemo update.exe
Naval Campaigns Guadalcanal update.exe
Squad Battles Advance of the Reich update.exe
Enter the Matrix update.exe
Rise of Nations update.exe
Grand Theft Auto Vice City update.exe
Magnetic update.exe
Big Mutha Truckers update.exe
Robocop update.exe
Bloodrayne update.exe

The sub catalog records itself in the Windows registry as Local Content system file shares Kazaa and iMesh. The entries are below:
HKCU\Software\Kazaa\LocalContent
HKCU\Software\Kazaa\Transfer
dir0 = 012345:%Windir%\system\os32
HKCU\Software\iMesh\Client\LocalContent
dir0 = 012345:%Windir%\system\os32
Other
The Harex.a worm downloads the file ‘cnets.Ocatch.com’ from a server via the Internet. This file contains the C: root catalog under the name ‘Win32.exe’. Once this file is downloaded the worm executes it. The ‘Win32.exe’ file is like either a new version of the Harex worm or another malicious program.

Related Posts

This entry was posted on Wednesday, August 20th, 2008 at 3:50 am and is filed under Virus Threats.