Home>Network Worms>other worms>

P2P-Worm.Win32.Duload.b

Alert Level :	Medium
Discovered:	Jun 22 2002
Tag:	Peer-to-Peer   Worms   Worms
Discoverer and Source:	http://www.kaspersky.com/

Malware Behavior and Technical Description

Worm.P2P.Duload represents a family of worms that replicate by copying themselves into a Kazaa network shared folder located on victim machines.

The worm itself is a Windows application (PE EXE file) written in Visual Basic, 7680 bytes in size (packed with UPX).

Installation

The worm copies itself to the Windows System directory under the name SystemConfig.exe and modifies the system registry so that this file automatically loads upon start-up.

This is done by writing the following registry values:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
 "Windows System Configure"="[System Directory path]\SystemConfig.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "Windows System Configure"="[System Directory path]\SystemConfig.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
 "Windows System Configure"="[System Directory path]\SystemConfig.exe"

Replication

The Duload worm creates a directory in the Windows System directory named "Media" and then copies itself to this directory under the following names:

Alicia Silverstone Payboy Nude.exe
Bingo.exe
Britney Spears Dance Beat.exe
DDos Client.exe
Email Bomber.exe
FileServer.exe
Flash Golf.exe
Free Mpegs.exe
Free Pics.exe
Free Porn.exe
Hoes For You Solitare.exe
Hotmail Hacker.exe
Irc Client.exe
J.Lo Bikini Screensaver.exe
Jenna Jamison Dildo Humping.exe
Kama Sutra Tetris.exe
Kazaa Clone.exe
Mirc 7.0.exe
Napster Clone.exe
Pamela Anderson And Tommy Lee Home Video.exe
Play Games Online For FREE.exe
Ps2 Emulator.exe
Ps2 Iso 2 Rom Converter.exe
Shakira Dancing.exe
Soldier Of Fortune 2 Mutiplayer Serial Hack.exe
System Monitor.exe
The Sims Game Crack.exe
Universal Game Crack.exe
Warcraft 3 Battle.net Crack.exe
Website Hacker.exe
Win A Ps2.exe
Win An Xbox.exe
Winace.exe
Windows Hacker.exe
Winmx.exe
Winrar.exe
Winzip.exe
Working Iso Burner.exe
Xbox Emulator.exe
Xbox Iso 2 Rom Converter.exe

Then the worm writes several registry values in the [HKEY_CURRENT_USER\Software\Kazaa] registry key, so that the Media directory becomes available as a Kazaa shared directory.

0

Removal P2P-Worm.Win32.Duload.b instructions:

0

Need help? Live computer support via remote at SupportSpace.Help with printer problems, windows, hardware, software, spyware removal and more. - Go Now!

Great Anti-Virus Software : Kaspersky Internet Security 2009 Save 35% Buy Panda Global Protection 2009 and Panda Antiviru Download PandaLabs Reports Free AVG virus removel tools Hunting Down Spyware and Adware Adware and spyware, knowing the basics Adware Spyware Remover from CBAdvance Keeping Your Computer in Good Condition Using Free Spyware A Beware of Covert Online Spies Why the Need to Remove Adware and Spyware