Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:WORM/Silly_P2P.H.19
Date discovered:12/07/2011
Type:Worm
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:29.696 Bytes
MD5 checksum:325CE642A016D9EEAE5259C4F4E36060
VDF version:7.11.11.68 - Tuesday, July 12, 2011
IVDF version:7.11.11.68 - Tuesday, July 12, 2011

 General Methods of propagation:
   • Autorun feature
   • Messenger


Aliases:
   •  Kaspersky: Trojan.Win32.Llac.yxq
   •  Sophos: Troj/Agent-RYH
   •  Microsoft: Worm:Win32/Silly_P2P.H


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Third party control
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %APPDATA%\taskeng.exe

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Windows Update System"="%APPDATA%\taskeng.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Windows Update System"="%APPDATA%\taskeng.exe"



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "Windows Update System"="%APPDATA%\taskeng.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

– Windows Messenger

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: **********ttt.dyndns.info
Port: 1337
Nickname: %random character string%



– This malware has the ability to collect and send information such as:
    • Platform ID
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • disconnect from IRC server
    • Perform DDoS attack
    • Start spreading routine

 Miscellaneous Anti debugging
Checks for debugger or virtual machine using time related techniques.

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Ilie on Tuesday, October 11, 2011
Description updated by Andrei Ilie on Wednesday, October 12, 2011

Back . . . .