Home / malware Win32.Worm.P2P.Puce.G
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Worm.P2P.Puce.G.
Explanation :
This is a Peer-to-Peer (P2P) Worm that has multiple spreading mechanisms including popular file sharing applications such as Kazaa, Morpheus, Edonkey2000 or emule.
When first executed the virus takes the following actions:
- copies itself in
C:Documents and Settings<user-name>Local SettingsTemp as svchost.exe
- sets the registry key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsServicesStartup = C:\DOCUME~1\LOCALS~1\Temp\svchost.exe".
- executes the created file with "1" string as a command-line parameter
Disguised as svchost.exe the malware starts the spreading process across local disks and local area network shares.
Creates a text file and opens it using a ShellExecute API with the "open" command. The text file's content is :
PRE-INSTALL v1.07
(C) pUcE Software 2006
Pre-install has checked your config.
Everything is ok, you can now run the setup program
Enjoy!
In order to allow only one instance of it to run at a time, it creates a mutex named TINYpUcE
It spreads through the shared folders of the multiple P2P applications that may be one of the following::
D:Program filesemuleincoming
C:Program filesemuleincoming
E:Program filesemuleincoming
C:Download
D:Download
E:Download
C:Incoming
D:Incoming
E:Incoming
F:Incoming
G:Incoming
C:Archivos de programaemuleincoming
D:Archivos de programaemuleincoming
E:Archivos de programaemuleincoming
C:Program FilesKazaa Lite K++My Shared Folder
D:Program FilesKazaa Lite K++My Shared Folder
E:Program FilesKazaa Lite K++My Shared Folder
C:Program filesKMDMy Shared Folder
D:Program filesKMDMy Shared Folder
E:Program filesKMDMy Shared Folder
C:Program filesKaZaA LiteMy Shared Folder
D:Program filesKaZaA LiteMy Shared Folder
E:Program filesKaZaA LiteMy Shared Folder
C:Program filesMorpheusMy Shared Folder
D:Program filesMorpheusMy Shared Folder
E:Program filesMorpheusMy Shared Folder
C:Program filesBearShareShared
D:Program filesBearShareShared
E:Program filesBearShareShared
C:Program filesEdonkey2000Incoming
D:Program filesEdonkey2000Incoming
E:Program filesEdonkey2000Incoming
C:My Downloads
D:My Downloads
E:My Downloads
C:My Shared Folder
D:My Shared Folder
E:My Shared Folder
C:Program filesappleJuiceincoming
D:Program filesappleJuiceincoming
E:Program filesappleJuiceincoming
C:Program filesGnucleusDownloads
D:Program filesGnucleusDownloads
E:Program filesGnucleusDownloads
C:Program filesGroksterMy Grokster
D:Program filesGroksterMy Grokster
E:Program filesGroksterMy Grokster
C:Program filesICQshared files
D:Program filesICQshared files
E:Program filesICQshared files
C:Program filesKaZaAMy Shared Folder
D:Program filesKaZaAMy Shared Folder
E:Program filesKaZaAMy Shared Folder
C:Program filesLimeWireShared
D:Program filesLimeWireShared
E:Program filesLimeWireShared
C:Program filesOvernetincoming
D:Program filesOvernetincoming
E:Program filesOvernetincoming
C:Program filesShareazaDownloads
D:Program filesShareazaDownloads
E:Program filesShareazaDownloads
C:Program filesSwaptorDownload
D:Program filesSwaptorDownload
E:Program filesSwaptorDownload
C:Program filesWinMXMy Shared Folder
D:Program filesWinMXMy Shared Folder
E:Program filesWinMXMy Shared Folder
C:Program filesTeslaFiles
D:Program filesTeslaFiles
E:Program filesTeslaFiles
C:Program filesXoloXDownloads
D:Program filesXoloXDownloads
E:Program filesXoloXDownloads
C:Program filesRapigatorShare
D:Program filesRapigatorShare
E:Program filesRapigatorShare
It copies itself in every (*.zip) or (*.rar) archive found in these folders and may rename the archive as follows:
%filename%.zip to %filename% updated-fixed mm-yyyy.zip
%filename%.rar to %filename% updated-fixed mm-yyyy.rar
where mm is the current month and
yyyy is the current year
The malware can be found in these archives as Setup.exe, Install.exe or _Run_Me_First.exe.
It uses an empty control file named _trash.tmp to mark the infected archives. If this file exists, it does nothing to that archive.
Otherwise, for zip files, it checks the existence of Setup.exe. If found, it inserts itself under the name Install.exe only if such a file does not exist.
If there is also an Install.exe file, the name chosen for itself is _Run_Me_First.exe.
For (*.rar) files only the checking of _trash.tmp is performed, the worm being copyed under the name setup.exeLast update 21 November 2011