Need help? Ask the community or hire an expert.
Go to Avira Answers
Alias:WORM_WINUR.A [Trend], W32/Winur.worm.a [McAfee], Worm.P2P.Winur [KAV]
Size:61,440 Bytes 
Damage:Spreads over shared KaZaA and WinMX programs. 
VDF Version:  

DistributionWorm/Banuris.P2P tries to spread over shared KaZaA and WinMX programs.

Technical DetailsWhen activated, Worm/Banuris.P2P copies itself in two files
A:\Important - read this.doc %62 spaces% .exe
It creates the hidden directory C:\Winrun. Then it copies itself in this directory, as:
Adobe Photoshop cracker.exe
Age of Empire crack.exe
Age of Mythology cracker.exe
All Microsoft games cracker.exe
Anastacia game.exe
AOL hacker.exe
AOL password stealer.exe
Britney spears game.exe
Bugbear remover.exe
Christina Aguilera game.exe
Die another Day DVD full.exe
Die another day flash movie(1).exe
Die another day flash movie.exe
Dvd ripper.exe
EA games Keygen.exe
Esafe desktop protection crack.exe
Frontpage cracker.exe
Hotmail account hacker in 30 minutes.exe
Hotmail hacker.exe
Hotmailhacker v1.0.exe
ICQ hacker.exe
ICQ password stealer.exe
Jack the ripper v1.0.exe
Jackie chan dvd collection.exe
James Bond game - Die another day.exe
John the ripper v1.0.exe
Justin Timberlake Debute movie.exe
Klez fixtool.exe
Lord of the rings VCD.exe
Love calculator.exe
Mcafee virusscanner crack.exe
Microangelo cracker.exe
Most important hacker tool ever!.exe
MSN Messenger commercial cracker.exe
MSN Password stealer.exe
MXlinx 0.30 crack.exe
Nikki cox game and movie.exe
Norton antivirus cracker.exe
Office XP license cracker.exe
pornmovie (hardcore sex adult asian).exe
Red Alert cracker - All versions.exe
Rollercoaster tycoon cracker.exe
Shriek DVD crack patch.exe
Stop the war (intro).exe
Super 2000key keygen.exe
Theme park world cracker.exe
UnIcOrn Gift.exe
Warcraft 3 cracker.exe
Website hacker v1.0.exe
Windows Me crack.exe
Windows XP license cracker.exe
Yaha Fixtool.exe

It makes the registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run msconfig C:\winrun\msconfig.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices winrun c:\winrun\msconfig.exe So wird der Wurm bei jedem Systemstart erneut gestartet.

and also:
HKEY_LOCAL_MACHINE\Software\Microsoft\essengerService\Policies "IMWarning"="(M)Warning: The person who you are talking to is infected with a virus. Send him the removal tool that can be found in C:\klez_removal.exe(M)"
This creates a warning message in MSN Messanger, encouraging the user to send a copy of the worm to all Contacts.

It reduces the security level for KaZaA shared software, by modifying the registry entries:
HKEY_CURRENT_USER\Software\KAZAA\\AdvancedScanFolder 0x00000001 HKEY_USERS\.DEFAULT\Software\KAZAA\AdvancedScanFolder 0x00000001 HKEY_CURRENT_USER\Software\KAZAA\InstantMessagingIgnoreAll 0x00000001 HKEY_USERS\.DEFAULT\Software\KAZAA\InstantMessagingIgnoreAll 0x00000001 HKEY_CURRENT_USER\Software\KAZAA\UserDetailsAutoConnected 0x00000001 HKEY_USERS\.DEFAULT\Software\KAZAA\UserDetailsAutoConnected 0x00000001 HKEY_CURRENT_USER\Software\KAZAA\SettingsFolderWarning 0x00000000 HKEY_USERS\.DEFAULT\Software\KAZAA\Settings FolderWarning 0x00000000 HKEY_CURRENT_USER\Software\KAZAA\LocalContent dir0 13263:C:\Winrun DisableSharing 0x00000000
HKEY_CURRENT_USER\Software\KAZAA\LocalContentdir0 13263:C:\Winrun DisableSharing 0x00000000
adult_filter_level 0x00000000 bogus_filter 0x00000000 fiwewall_fileter 0x00000000 virus_filter 0x00000000
HKEY_USERS\.DEFAULT\Software\KAZAA\ResultsFilter adult_filter_level 0x00000000 bogus_filter 0x00000000 fiwewall_fileter 0x00000000 virus_filter 0x00000000
HKEY_CURRENT_USER\Software\KAZAA\SettingsQuarantine %WinDIR%\%StartupPath% HKEY_USERS\.DEFAULT\Software\KAZAA\SettingsQuarantine %WinDIR%\%StartupPath%

The worm creates the following files:
Description inserted by Crony Walker on Tuesday, June 15, 2004

Back . . . .