Details
Worm.P2P.VB.bh

This worm spreads via P2P networks as a PE file.
The worm itself is a Windows PE EXE file, 32KB in size and is written in Visual Basic.
Installation
When launched, the worm copies itself to the C:\Windows\System32\ directory under its current name and hides the file in the Windows system directory.
The worm then registers this file in the system registry, to ensure that the file is launched each time Windows is started:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run\]
Windows =
Propagation
The worm copies itself to the following directories:
C:\My Shared FolderC:\Windows\My Shared FolderC:\Windows\ShareC:\My Downloads\C:\Windows\My DownloadsDoS attacks
When launched, the worm conducts DoS attacks on the following sites:
www.microsoft.com
www.aol.com
www.yahoo.com
www.google.com
by sending packets of maximum size (64 bytes) using the ping utility.
It will only do this between 0000 and 1800 and from 1900 to 2400.
Presence in the system
If the worm is launched between 1800 and 1900 according to the local system clock, it will create a directory named Shared in the C:\ root directory, and will copy itself to this directory.

Related Posts

This entry was posted on Friday, August 22nd, 2008 at 7:50 pm and is filed under Virus Threats.