P2P-Worm.Win32.Harex.c
| Alert Level : | Medium |
| Discovered: | Jun 11 2004 |
| Tag: | Peer-to-Peer Worms Worms |
| Discoverer and Source: | http://www.kaspersky.com/ |
Malware Behavior and Technical Description
This is a peer-to-peer worm, also known as Exebat. The worm file is about 2 KB in size, packed with FSG. The unpacked file is 17 KB in size.
InstallationDuring installation the worm creates a folder named "sys32" in the Windows system folder and copies itself to this folder under one of the following filenames:
All Adobe Products Keygen.exe All Macromedia Products Keygen.exe All Microsoft Products Keygen.exe BurnDvds.exe Divx Pro 5.1 Serial.exe Dvd Plus Crack.exe Dvd Ripper.exe Dvd To Vcd.exe Dvd Wizard Pro Crack.exe Dvd Xcopy Crack.exe DvdCopyOne Crack.exe DvdToVcd Crack.exe Easy Dvd creator Crack.exe Easy Dvd Ripper.exe EZ Dvd Ripper.exe Nero Burning Rom Crack.exe Nimo Codec Pack Updater.exe Xvid Codec Installer.exe
This folder is then registered in the Windows system registry as Local Content for Kazaa and iMesh file sharing systems:
[HKCU\Software\Kazaa\LocalContent] [HKCU\Software\Kazaa\Transfer] "dir0"="012345:%Windir%\system\sys32" [HKCU\Software\iMesh\Client\LocalContent] "dir0"="012345:%Windir%\system\sys32"Other details
As two previous Harex variants did, this worm downloads a file from the server cnet.0catch.com, saves it in the root folder of drive C: as autoexec.bat.Exe and executes it.
0
Removal P2P-Worm.Win32.Harex.c instructions:
0
Need help? Live computer support via remote at SupportSpace |
