Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / P2P Worms

P2P-Worm.Win32.Duload.a

Other versions: .b

Aliases
P2P-Worm.Win32.Duload.a (Kaspersky Lab) is also known as: Worm.P2P.Duload.a (Kaspersky Lab), W32/Duload.worm.gen!p2p (McAfee),   W32.HLLW.Yoof (Symantec),   Win32.HLLW.Duload.18432 (Doctor Web),   W32/Duload-A (Sophos),   Win32/Duload.A.worm (RAV),   WORM_DULOAD.A (Trend Micro),   Worm/Duload.A (H+BEDV),   Win32:Duload (ALWIL),   Worm/Duload.A (Grisoft),   Win32.P2P.Duload.A@mm (SOFTWIN),   Worm.Duload.A (ClamAV),   W32/Duload.A (Panda),   Win32/Duload.A (Eset)
Description added Oct 31 2002
Behavior P2P Worm
Technical details

Worm.P2P.Duload represents a family of worms that replicate by copying themselves into a Kazaa network shared folder located on victim machines.

The worm itself is a Windows application (PE EXE file) written in Visual Basic, 18432 bytes in size.

Installation

The worm copies itself to the Windows System directory under the name SystemConfig.exe and modifies the system registry so that this file automatically loads upon start-up.

This is done by writing the following registry values:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
 "Windows System Configure"="[System Directory path]\SystemConfig.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
 "Windows System Configure"="[System Directory path]\SystemConfig.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
 "Windows System Configure"="[System Directory path]\SystemConfig.exe"

Replication

The Duload worm creates a directory in the Windows System directory named "Media" and then copies itself to this directory under the following names:

Alicia Silverstone Payboy Nude.exe
Bingo.exe
Britney Spears Dance Beat.exe
DDos Client.exe
Email Bomber.exe
FileServer.exe
Flash Golf.exe
Free Mpegs.exe
Free Pics.exe
Free Porn.exe
Hoes For You Solitare.exe
Hotmail Hacker.exe
Irc Client.exe
J.Lo Bikini Screensaver.exe
Jenna Jamison Dildo Humping.exe
Kama Sutra Tetris.exe
Kazaa Clone.exe
Mirc 7.0.exe
Napster Clone.exe
Pamela Anderson And Tommy Lee Home Video.exe
Play Games Online For FREE.exe
Ps2 Emulator.exe
Ps2 Iso 2 Rom Converter.exe
Shakira Dancing.exe
Soldier Of Fortune 2 Mutiplayer Serial Hack.exe
System Monitor.exe
The Sims Game Crack.exe
Universal Game Crack.exe
Warcraft 3 Battle.net Crack.exe
Website Hacker.exe
Win A Ps2.exe
Win An Xbox.exe
Winace.exe
Windows Hacker.exe
Winmx.exe
Winrar.exe
Winzip.exe
Working Iso Burner.exe
Xbox Emulator.exe
Xbox Iso 2 Rom Converter.exe

Then the worm writes several registry values in the [HKEY_CURRENT_USER\Software\Kazaa] registry key, so that the Media directory becomes available as a Kazaa shared directory.

Other

The Worm.P2P.Duload.a variant also acts as a TrojanDownloader: it downloads a malware program from the "http://thisistrash.0catch.com/" site, saves it to "c:\Uninstall.exe" and executes it.

 		 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com