|
|
|
VIRUS NAME
: W32/Duload.worm
Virus
Characteristics
-- Update
August 22, 2002 --
The risk assessment was updated to Low-Profiled due to media
attention .
Written in Visual Basic 6, this worm attempts to spread via KaZaa peer-to-peer
file-sharing networks.
McAfee products with program heuristics enabled with the 4215 DATs or greater,
detect the unpacked worm as 'virus or variant New P2P Worm'.
- the worm installs itself
to %WinDir%\System as SYSTEMCONFIG.EXE (eg. c:\Windows\System\systemconfig.exe).
- The following Registry
keys are added to run the worm at subsequent system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"Windows system Configure" = C:\WINDOWS\SYSTEM\SystemConfig.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"Windows system Configure" = C:\WINDOWS\SYSTEM\SystemConfig.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"Windows system Configure" = C:\WINDOWS\SYSTEM\SystemConfig.exe
- the worm copies itself
into the following directory (creating it if necessary) %WinDir%\System\Media.
Various filenames are used, designed to entice other KaZaa users to run the
worm:
1. Alicia Silverstone
Payboy Nude.exe
2. Bingo.exe
3. Britney Spears Dance Beat.exe
4. DDos Client.exe
5. Email Bomber.exe
6. FileServer.exe
7. Flash Golf.exe
8. Free Mpegs.exe
9. Free Pics.exe
10. Free Porn.exe
11. Hoes For You Solitare.exe
12. Hotmail Hacker.exe
13. Irc Client.exe
14. J.Lo Bikini Screensaver.exe
15. Jenna Jamison Dildo Humping.exe
16. Kama Sutra Tetris.exe
17. Kazaa Clone.exe
18. Mirc 7.0.exe
19. Napster Clone.exe
20. Pamela Anderson And Tommy Lee Home Video.exe
21. Play Games Online For FREE.exe
22. Ps2 Emulator.exe
23. Ps2 Iso 2 Rom Converter.exe
24. Shakira Dancing.exe
25. Soldier Of Fortune 2 Mutiplayer Serial Hack.exe
26. System Monitor.exe
27. The Sims Game Crack.exe
28. Universal Game Crack.exe
29. Warcraft 3 Battle.net Crack.exe
30. Website Hacker.exe
31. Win A Ps2.exe
32. Win An Xbox.exe
33. Winace.exe
34. Windows Hacker.exe
35. Winmx.exe
36. Winrar.exe
37. Winzip.exe
38. Working Iso Burner.exe
39. Xbox Emulator.exe
40. Xbox Iso 2 Rom Converter.exe
- Various KaZaa settings
are then modified by setting the following Registry keys:
HKEY_CURRENT_USER\Software\Kazaa\LocalContent
"Dir0" = C:\WINDOWS\SYSTEM\Media\
HKEY_LOCAL_MACHINE\Software\Kazaa\CloudLoad
"ShareDir" = C:\WINDOWS\SYSTEM\Media\
HKEY_CURRENT_USER\Software\Kazaa\LocalContent
"Dir1" = C:\WINDOWS\SYSTEM\Media\
HKEY_CURRENT_USER\Software\Kazaa\LocalContent
"Dir2" = 012345:C:\WINDOWS\SYSTEM\Media\
HKEY_CURRENT_USER\Software\Kazaa\LocalContent
"DisableSharing" = 0
HKEY_CURRENT_USER\Software\Kazaa\Transfer
"DlDir0" = 012345:C:\WINDOWS\SYSTEM\Media\
HKEY_CURRENT_USER\Software\Kazaa\Transfer
"DlDir1"= C:\WINDOWS\SYSTEM\Media\
HKEY_CURRENT_USER\Software\Kazaa\Transfer
"DlDir99" = 012345:C:\WINDOWS\SYSTEM\Media\
- Additionally, the worm
attempts to download an executable file from a specific URL. It attempts to
download the file to C:\UNINSTALL.EXE, and if successful executes it. At the
time of writing, this remote file was not available at the URL specified within
the worm.
Symptoms
Existence of the file %WinDir%\System\SystemConfig.exe
Existence of multiple (identical)
files in %WinDir%\System\Media\ matching the names listed above
Method
Of Infection
This worm spreads via KaZaa file-sharing networks by enticing users into downloading
and running itself.
|
|
|
