Alias:
Type:Worm 
Size:38,225 Bytes 
Origin: 
Date:00-00-0000 
Damage:Spreads over shared network resources. 
VDF Version:6.23.00.00 
Danger:Medium 
Distribution:Medium 

DistributionIt spreads over shared network resources.

Technical DetailsWhen activated, Worm/Purol.P2P.B tries to delete all files from the following directories:
C:\Progra~1\eSafe\Protect
C:\Progra~1\McAfee VirusScan
C:\Progra~1\NORTON~1
C:\Progra~1\Acceleration Software\Anti-Virus
C:\Progra~1\F-prot
C:\Progra~1\Mcafee
C:\Progra~1\Kasper~1
C:\Progra~1\Avpersonal
C:\Progra~1\Bullguard

It copies itself as:
C:\%WinDIR%Hwinfoq.com
C:\%WinDIR%\Lorupscr.scr
C:\%WinDIR%\Winstart32.exe

It creates the directory C:\%WinDIR%\MyShares and copies there the following files:
C:\%WinDIR%\Temporary Internet Files\*.txt
C:\Documents And Settings\Local Settings\Temp\*.doc
\My Chat Logs\*.*
C:\%WinDIR%\*.pwl
C:\%WinDIR%\*.ini
C:\%WinDIR%\temp\*.Doc
C:\%WinDIR%\Temp\*.txt
C:\%WinDIR%\Temp\*.rtf

It checks for the following directories:
C:\%WinDIR%\Myshares
C:\Program Files\Icq\Shared Files
C:\Program Files\Bearshare\Shared
C:\Program Files\Morpheus\My Shared Folder
C:\Program Files\Edonkey2000\Incoming
C:\Program Files\Gnucleus\Downloads
C:\Program Files\Gnucleus\Downloads\Incoming
C:\Program Files\Kazaa\My Shared Folder
C:\Program Files\Kazaa Lite\My Shared Folder
C:\Program Files\Limewire\Shared
and copies itself in some of them.

It makes the registry entries: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices "Winstart"="c:\windows\winstart32.exe" HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run "Winstart"="c:\windows\winstart32.exe"

And it enters:
HKEY_USERS\.DEFAULT\Control Panel\Desktop
"ScreenSaverTimeOut"="300"
"ScrnSAVE.EXE"="c:\windows\lorups~1.scr"
"ScreenSaveActive"="1"

It also modifies the following entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "HWINFOa"="c:\windowsHWINFOa.com"
HKEY_USERS\.DEFAULT\Software\Lorup "Done"="True"

For opening the directory C:\Windows\MyShares, the worm enters:
HKEY_USERS\.DEFAULT\Software\Kazaa HKEY_USERS\.DEFAULT\Software\Kazaa lite
HKEY_USERS\.DEFAULT\Software\Grokster HKEY_USERS\.DEFAULT\Software\Grokster lite
HKEY_USERS\.DEFAULT\Software\iMesh HKEY_USERS\.DEFAULT\Software\iMesh lite
Descripción insertada por Crony Walker el martes 15 de junio de 2004

Volver . . . .