Virus:Worm/P2Load.A
Date discovered:16/09/2005
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Medium
Damage Potential:Low to medium
Static file:Yes
File size:45.081 Bytes
MD5 checksum:38f55a87047ebe7e13cb01c036528c6a
VDF version:6.32.0.14

 General Method of propagation:
   • Peer to Peer


Aliases:
   •  Panda: W32/P2load.A.worm
   •  Bitdefender: Win32.Worm.P2P.Dutt.A


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows XP
   • Windows 2003


Side effects:
   • Blocks access to certain websites
   • Downloads a file
   • Registry modification


Right after execution the following information is displayed:


 Files It copies itself to the following location:
   • %SYSDIR%\winlogin.exe



The following file is created:

– %HOME%\Favorites\Musik, Filme, Software und vieles mehr kostenlos!.url



It tries to download a file:

– The location is the following:
   • http://www.dutty.de/**********.dat
It is saved on the local hard drive under: %WINDIR%\hosts It uses this content to modify the hosts file.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Winlogin"="%SYSDIR%\winlogin.exe"



The following registry key is changed:

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   Old value:
   • "Start Page"=%user defined settings%
   • "Search Page"=%user defined settings%
   • "Search Bar"=%user defined settings%
   New value:
   • "Start Page"="http://www.p2p-load.de/share/?l=e"
   • "Search Page"="http://www.p2p-load.de/share/?l=e"
   • "Search Bar"="http://www.p2p-load.de/share/?l=e"

 P2P In order to infect other systems in the Peer to Peer network community the following action is performed:  


It searches for the following directory:
   • C:\Incoming

   It retrieves shared folders by querying the following registry keys:
   • HKCU\Software\eMule\Install Path
   • HKCU\Software\Kazaa\localContent\DownloadDir
   • HKCU\Software\iMesh\iMesh5\Transfer\DownloadDir
   • HKCU\Software\Shareaza\Downloads\CompletePath

   If successful, the following file is created:
   • %executed file%


 Hosts The host file is modified as explained:

– In this case existing entries are deleted.

– Access to the following domains are redirected to other destinations:
   • www.google.de; www.google.at; www.google.se; www.google.nl;
      www.google.ch; www.google.pl; www.google.fr; www.google.ie;
      www.google.it; www.google.lv; www.google.pt; www.google.sk;
      www.google.es; www.google.hu; www.google.es; www.google.gr;
      www.google.com; google.de; google.at; google.se; google.nl; google.ch;
      google.pl; google.fr; google.ie; google.it; google.lv; google.pt;
      google.sk; google.es; google.hu; google.es; google.gr; google.com;
      wwwgoogle.at; wwwgoogle.se; wwwgoogle.nl; wwwgoogle.ch; wwwgoogle.pl;
      wwwgoogle.fr; wwwgoogle.ie; wwwgoogle.it; wwwgoogle.lv; wwwgoogle.pt;
      wwwgoogle.sk; wwwgoogle.es; wwwgoogle.hu; wwwgoogle.es; wwwgoogle.gr;
      wwwgoogle.com; www.gogle.de; www.gogle.at; www.gogle.se; www.gogle.nl;
      www.gogle.ch; www.gogle.pl; www.gogle.fr; www.gogle.ie; www.gogle.it;
      www.gogle.lv; www.gogle.pt; www.gogle.sk; www.gogle.es; www.gogle.hu;
      www.gogle.es; www.gogle.gr; www.gogle.com; gogle.de; gogle.at;
      gogle.se; gogle.nl; gogle.ch; gogle.pl; gogle.fr; gogle.ie; gogle.it;
      gogle.lv; gogle.pt; gogle.sk; gogle.es; gogle.hu; gogle.es; gogle.gr;
      gogle.com; www.googel.de; www.googel.at; www.googel.se; www.googel.nl;
      www.googel.ch; www.googel.pl; www.googel.fr; www.googel.ie;
      www.googel.it; www.googel.lv; www.googel.pt; www.googel.sk;
      www.googel.es; www.googel.hu; www.googel.es; www.googel.gr;
      www.googel.com; googel.de; googel.at; googel.se; googel.nl; googel.ch;
      googel.pl; googel.fr; googel.ie; googel.it; googel.lv; googel.pt;
      googel.sk; googel.es; googel.hu; googel.es; googel.gr; googel.com




The modified host file will look like this:


 File details Programming language:
 The malware program was written in Delphi.

Description inserted by Oliver Auerbach on Friday, September 16, 2005
Description updated by Andrei Gherman on Friday, September 16, 2005

Back . . . .