Home / malware Win32.P2P.Tanked.B
First posted on 21 November 2011.
Source: BitDefenderAliases :
Win32.P2P.Tanked.B is also known as Worm.P2P.Tanked.14, (Kaspersky.
Explanation :
This worm spreads through Kazaa and Imesh. Once executed, the worm will do the following:
Copies itself in %SYSTEM% folder as cmd32.exe
Sets the aforementioned registry keys.
Notes: the worm will set the key
[HKLMSoftwareMicrosoftWindowsNTCurrentVersionWinlogon"Shell"="explorer.exe %SYSTEM%cmd32.exe"]
only if the installed OS is NT based (Windows NT, 2000, XP)
The entries of the registry key
[HKEY_LOCAL_MACHINESoftwareKrypton]
point to the copies of the worm.
3. It searches the registry for entries of Kazaa and Imesh to see if they are are installed. If they are installed, the worm will will do the following
Create the folders (%WINDIR% points to Windows folder):
%WINDIR%UserTemp
%WINDIR%User32
where it will place copies of itself under one or more of the following names:
Battlefield1942_bloodpatch.exe
Unreal2_bloodpatch.exe
UT2003_bloodpatch.exe
AquaNox2 Crack.exe
NBA2003_crack.exe
FIFA2003 crack.exe
C&C Generals_crack.exe
UT2003_keygen.exe
UT2003_no cd (crack).exe
Age of Empires 2 crack.exe
Anno 1503_crack.exe
C&C Renegade_crack.exe
Diablo 2 Crack.exe
Gothic 2 licence.exe
GTA 3 Crack.exe
GTA 3 patch (no cd).exe
Hitman_2_no_cd_crack.exe
Mafia_crack.exe
Neverwinter_Nights_licence.exe
NHL 2003 crack.exe
WarCraft_3_crack.exe
Splinter_Cell_Crack.exe
Battlefield1942_keygen.exe
Winamp 3.8.exe
MediaPlayer Update.exe
UT2003_patch.exe
ACDSee 5.5.exe
DivX Video Bundle 6.5.exe
Global DiVX Player 3.0.exe
QuickTime_Pro_Crack.exe
KaZaA Lite (New).exe
iMesh 3.7b (beta).exe
iMesh 3.6.exe
KaZaA Hack 2.5.0.exe
DirectDVD 5.0.exe
Flash MX crack (trial).exe
Ad-aware 6.5.exe
WinZip 9.0b.exe
SmartFTP 2.0.0.exe
ICQ Lite (new).exe
ICQ Pro 2003b (new beta).exe
ICQ Pro 2003a.exe
AOL Instant Messenger.exe
Download Accelerator Plus 6.1.exe
Trillian 0.85 (free).exe
MSN Messenger 5.2.exe
Network Cable e ADSL Speed 2.0.5.exe
mIRC 6.40.exe
GetRight 5.0a.exe
Pop-Up Stopper 3.5.exe
Yahoo Messenger 6.0.exe
KaZaA Speedup 3.6.exe
Nero Burning ROM crack.exe
WindowBlinds 4.0.exe
Animated Screen 7.0b.exe
Living Waterfalls 1.3.exe
Matrix Screensaver 1.5.exe
Popup Defender 6.5.exe
Space Invaders 1978.exe
SmartRipper v2.7.exe
TweakAll 3.8.exe
DVD Copy Plus v5.0.exe
Serials 2003 v.8.0 Full.exe
Zelda Classic 2.00.exe
Need 4 Speed crack.exe
Links 2003 Golf game (crack).exe
Netfast 1.8.exe
Guitar Chords Library 5.5.exe
DVD Region-Free 2.3.exe
Cool Edit Pro v2.55.exe
Coffee Cup Free HTML 7.0b.exe
Clone CD 5.0.0.3.exe
Clone CD 5.0.0.3 (crack).exe
Nimo CodecPack (new) 8.0.exe
Business Card Designer Plus 7.9.exe
Steinberg_WaveLab_5_crack.exe
Hot Babes XXX Screen Saver.exe
FreeRAM XP Pro 1.9.exe
IrfanView 4.5.exe
Audiograbber 2.05.exe
WinOnCD 4 PE_crack.exe
Final Fantasy VII XP Patch 1.5.exe
BabeFest 2003 ScreenSaver 1.5.exe
PalTalk 5.01b.exe
DirectX Buster (all versions).exe
DirectX InfoTool.exe
Unreal2_crack.exe
FlashGet 1.5.exe
Babylon 3.50b reg_crack.exe
mp3Trim PRO 2.5.exe
In the registry keys:
[HKEY_CURRENT_USERSoftwareKazaaLocalContent]
[HKEY_CURRENT_USERSoftwareiMeshClientLocalContent]
it will create one of the registry entries (? represents a random number in the range 0..63)
Dir? 012345:%WINDIR%UserTemp
Dir? 012345:%WINDIR%User32
and thus sharing copies of the worm within Kazaa and/or Imesh.
It opens a random TCP port and a random UDP port.
Connects to an IRC channel and waits for commands to be issued by an attacker. Thus, the attacker may:
send private and system information from the infected system
download files into the infected computer
execute files onto the infected computer
perform a DoS attack (Denial of Service) on an IP
send the worm to other usersLast update 21 November 2011