Need help? Ask the community or hire an expert.
Go to Avira Answers
Virus:WORM/Silly_P2P.H.14
Date discovered:28/04/2011
Type:Worm
In the wild:No
Reported Infections:Low to medium
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:Yes
File size:671.788 Bytes
MD5 checksum:B8ED2E73B39AE02B15244C52DDA5505C
VDF version:7.11.07.62 - Thursday, April 28, 2011
IVDF version:7.11.07.62 - Thursday, April 28, 2011

 General Methods of propagation:
   • Autorun feature
   • Messenger


Aliases:
   •  Kaspersky: Trojan.Win32.Llac.yxq
   •  Sophos: Troj/Agent-RYH
   •  Microsoft: Worm:Win32/Silly_P2P.H


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Third party control
   • Drops malicious files
   • Lowers security settings
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %APPDATA%\webdev.exe



The following files are created:

%TEMPDIR%\google_cache2.tmp Contains parameters used by the malware.
%TEMPDIR%\%hex values% Contains parameters used by the malware.

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "WindowsUpdate"="%APPDATA%\webdev.exe"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "WindowsUpdate"="%APPDATA%\webdev.exe"



It creates the following entry in order to bypass the Windows XP firewall:

– [HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
   FirewallPolicy\StandardProfile\AuthorizedApplications\List]
   • "WindowsUpdate"="%APPDATA%\webdev.exe"

 Messenger It is spreading via Messenger. The characteristics are described below:

– Windows Messenger

The URL then refers to a copy of the described malware. If the user downloads and executes this file the infection process will start again.

 IRC To deliver system information and to provide remote control it connects to the following IRC Server:

Server: qeshmjaa.zapto.org



– This malware has the ability to collect and send information such as:
    • Platform ID
    • Information about the Windows operating system


– Furthermore it has the ability to perform actions such as:
    • connect to IRC server
    • disconnect from IRC server
    • Perform DDoS attack
    • Start spreading routine

 File details Programming language:
The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • ASPack

설명 삽입자 Andrei Ilie   2011년 9월 20일 화요일
설명 업데이트 Andrei Ilie   2011년 9월 21일 수요일

뒤로 . . . .
https:// 이 창은 보안을 위해 암호화되었습니다.