Duload Network Worm

Discussion in 'malware problems & news' started by Paul Wilders, Aug 22, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Kaspersky Labs reports the detection of the network worm "Duload", which is spreading across the KaZaA file-exchange network. Presently Kaspersky Labs has already received several registered instances of infection in Italy.

    The worm is a Windows (PE EXE) attachment written in Visual Basic. Currently two variants of the Duload worm are known, each having a different file size:

    Worm.P2P.Duload.a - 18432 bytes
    Worm.P2P.Duload.b - 7680 bytes (Compressed with UPX utility)

    If the infected attachment is accidentally opened "Duload" copies itself to the Windows system directory under the name "SystemConfig.exe" and modifies the system registry so that this file automatically loads each time Windows is started.

    Next, the Duload worm creates a folder in the Windows directory called "Media" and copies itself to this directory under 39 different names.

    Such as:

    Pamela Anderson And Tommy Lee Home Video.exe
    Alicia Silverstone Payboy Nude.exe
    Kama Sutra Tetris.exe
    Soldier Of Fortune 2 Mutiplayer Serial Hack.exe
    The Sims Game Crack.exe
    Warcraft 3 Battle.net Crack.exe

    "Duload" then once again modifies the system registry in order to make the "Media" folder accessible to all other KaZaA network users.

    One modification of the worm (Worm.P2P.Duload.a) also downloads from an Internet site several Trojan programs designed to establish unauthorized remote management of victim computers.

    Detection of this malware has already been added to the
    anti-virus database.
     
  2. FanJ

    FanJ Guest

    W32/Duload-A

    Name: W32/Duload-A
    Aliases: Worm.P2P.Duload.a
    Type: Win32 worm
    Date: 23 August 2002


    At the time of writing Sophos has received no reports from users
    affected by this worm. However, we have issued this advisory
    following enquiries to our support department from customers.

    Note: This IDE is a combined IDE for both variants W32/Duload-A
    and W32/Duload-B.

    Description
    W32/Duload-A is worm that spreads in the Kazaa network. When run it copies itself into the Windows system folder as SystemConfig.exe and sets the following registry entries so that it will be automatically run when Windows starts up.

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    Windows System Configure = C:\<Windows System folder>\ SystemConfig.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
    Windows System Configure = C:\<Windows System folder>\ SystemConfig.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
    Windows System Configure = C:\<Windows System folder>\ SystemConfig.exe

    The worm creates a folder named Media in the Windows system folder and creates several copies of itself in this folder using the following names:

    Jenna Jamison Dildo Humping.exe
    Pamela Anderson And Tommy Lee Home Video.exe
    Alicia Silverstone Payboy Nude.exe
    Kama Sutra Tetris.exe
    Flash Golf.exe
    Hoes For You Solitare.exe
    Bingo.exe
    Irc Client.exe
    Mirc 7.0.exe
    Email Bomber.exe
    FileServer.exe
    Kazaa Clone.exe
    Napster Clone.exe
    Winmx.exe
    Website Hacker.exe
    Hotmail Hacker.exe
    Windows Hacker.exe
    Free Porn.exe
    Free Mpegs.exe
    Free Pics.exe
    Xbox Emulator.exe
    Britney Spears Dance Beat.exe
    Shakira Dancing.exe
    J.Lo Bikini Screensaver.exe
    Universal Game Crack.exe
    Soldier Of Fortune 2 Mutiplayer Serial Hack.exe
    Play Games Online For FREE.exe
    Win A Ps2.exe
    Win An Xbox.exe
    Ps2 Emulator.exe
    Ps2 Iso 2 Rom Converter.exe
    Xbox Iso 2 Rom Converter.exe
    The Sims Game Crack.exe
    Working Iso Burner.exe
    Winzip.exe
    Winrar.exe
    Winace.exe
    System Monitor.exe
    Warcraft 3 Battle.net Crack.exe

    W32/Duload-A sets several entries under the registry entry
    HKCU\Software\Kazaa so that the Media folder will become shared in the Kazaa network.

    W32/Duload-A also downloads a file from xxxxx.xxxxx.xxxxx into C:\Uninstall.exe and executes it.



    More information about W32/Duload-A can be found at
    http://www.sophos.com/virusinfo/analyses/w32duloada.html


    Note from FanJ: I deleted a link
     
  3. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    By the types of files in the list you can see who its targeted at!!
    The porn,hacking, and game freaks
     
  4. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    What about:
    Winzip.exe
    Winrar.exe
    Winace.exe
    System Monitor.exe
    Irc Client.exe
    Mirc 7.0.exe
    Working Iso Burner.exe

    They are not part of The porn,hacking, and game freaks!


    Technodrome
     
Loading...
Thread Status:
Not open for further replies.